IoT Reconnaissance

Reconnaissance

The first phase of IoT pentesting involves identifying the device, understanding its ecosystem, and mapping all potential attack vectors across network, firmware, and hardware layers.

Device Identification

Physical Inspection

Gather information from the device itself:

External Labels

  • • Model number and serial number
  • • FCC ID (required for US devices)
  • • MAC address (often on label)
  • • Default credentials (sometimes printed)
  • • Regulatory certifications (CE, UL, etc.)

Internal Inspection

  • • Chipset identification (SoC, WiFi, etc.)
  • • Flash memory chips (for extraction)
  • • Debug headers (UART, JTAG)
  • • Test points and unpopulated pads
  • • Antenna connectors

FCC ID Lookup

The FCC ID can reveal internal photos, schematics, and technical documentation:

bash 
# FCC ID lookup resources
https://fccid.io/                    # Easy search interface
https://www.fcc.gov/oet/ea/fccid     # Official FCC database

# Example: Looking up "2AJGM-CAMERA01"
# Often reveals:
# - Internal/external photos
# - Test reports
# - User manuals
# - Block diagrams
# - Schematics (sometimes)

Online Research

bash 
# Google dorking for IoT devices
site:exploit-db.com "device_name"
site:cve.mitre.org "manufacturer"
site:github.com "device_model" exploit
"device_name" default password
"device_name" firmware download
"device_name" root shell
"device_name" teardown OR disassembly

# Shodan queries for similar devices
shodan search "product:device_name"
shodan search "http.title:device_name"
shodan search "ssl.cert.subject.cn:manufacturer.com"

Network Discovery

Finding IoT Devices on Network

bash 
# ARP scan for device discovery
sudo arp-scan -l

# Nmap host discovery
nmap -sn 192.168.1.0/24

# Identify IoT devices by MAC vendor
# Common IoT vendors:
# - Espressif (ESP8266/ESP32)
# - Tuya Smart
# - Shenzhen manufacturers
# - Raspberry Pi Foundation

# Full port scan on discovered device
nmap -sS -sV -p- -T4 192.168.1.100

# Service version detection
nmap -sV -sC -p 80,443,8080,8443,23,22,554 192.168.1.100

# UDP scan for IoT protocols
nmap -sU -p 67,68,123,161,5353,1900,5683 192.168.1.100

Common IoT Ports

Port Protocol Service Notes
23 TCP Telnet Often enabled with weak creds
80/443 TCP HTTP/HTTPS Web management interface
554 TCP RTSP IP cameras streaming
1883 TCP MQTT IoT messaging protocol
5683 UDP CoAP Constrained Application Protocol
8883 TCP MQTT/TLS Encrypted MQTT
1900 UDP UPnP/SSDP Service discovery
5353 UDP mDNS Multicast DNS discovery

Traffic Capture

bash 
# Capture all traffic from IoT device
sudo tcpdump -i eth0 -w iot_capture.pcap host 192.168.1.100

# Filter for specific protocols
sudo tcpdump -i eth0 -w mqtt.pcap port 1883
sudo tcpdump -i eth0 -w coap.pcap udp port 5683

# Capture with Wireshark display filter examples
# MQTT traffic
mqtt

# CoAP traffic
coap

# HTTP to cloud endpoints
http.host contains "amazonaws" or http.host contains "azure"

# DNS queries (see what domains device contacts)
dns.qry.name contains "iot" or dns.qry.name contains "cloud"

Ecosystem Mapping

Identifying the Full Attack Surface

IoT devices rarely operate in isolation. Map the complete ecosystem: 

┌─────────────────────────────────────────────────────────────────┐
│                        IoT ECOSYSTEM                            │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│   ┌──────────┐      ┌──────────┐      ┌──────────────────┐     │
│   │  Mobile  │◄────►│   IoT    │◄────►│   Cloud API      │     │
│   │   App    │      │  Device  │      │   Backend        │     │
│   └──────────┘      └──────────┘      └──────────────────┘     │
│        │                 │                     │                │
│        ▼                 ▼                     ▼                │
│   ┌──────────┐      ┌──────────┐      ┌──────────────────┐     │
│   │ Local    │      │ Firmware │      │  Third-party     │     │
│   │ Storage  │      │ Updates  │      │  Integrations    │     │
│   └──────────┘      └──────────┘      └──────────────────┘     │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘

Mobile App Analysis

bash 
# Download APK for Android app analysis
# From device:
adb shell pm list packages | grep -i "manufacturer"
adb shell pm path com.manufacturer.iotapp
adb pull /data/app/com.manufacturer.iotapp-1/base.apk

# Decompile APK
apktool d base.apk -o decompiled_app
jadx base.apk -d jadx_output

# Search for interesting strings
grep -r "api.manufacturer.com" jadx_output/
grep -r "password|secret|key|token" jadx_output/
grep -r "http://|https://" jadx_output/

# For iOS apps, use tools like:
# - Hopper Disassembler
# - class-dump
# - Frida for runtime analysis

Cloud Backend Enumeration

bash 
# Identify cloud endpoints from traffic capture
tshark -r iot_capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u

# Common cloud backends:
# - AWS IoT Core: *.iot.*.amazonaws.com
# - Azure IoT Hub: *.azure-devices.net
# - Google Cloud IoT: mqtt.googleapis.com
# - Tuya: *.tuya*.com
# - Particle: api.particle.io

# Test API endpoints
curl -v https://api.manufacturer.com/v1/devices
curl -v https://api.manufacturer.com/v1/user/info

# Check for exposed API documentation
https://api.manufacturer.com/swagger
https://api.manufacturer.com/docs
https://api.manufacturer.com/v1/openapi.json

Firmware Acquisition

Download Methods

bash 
# Official sources
# - Manufacturer support/download pages
# - In-app update servers (capture the URL)
# - FCC filings (sometimes include firmware)

# Intercept firmware update
# Set up proxy and capture update URL
mitmproxy -p 8080

# Common update URL patterns
https://update.manufacturer.com/firmware/v1.2.3.bin
https://s3.amazonaws.com/manufacturer-firmware/device_v1.2.3.bin

# Download with wget
wget https://manufacturer.com/firmware/latest.bin

# If encrypted/signed, look for:
# - Older unencrypted versions
# - Debug/beta firmware
# - Keys in mobile app or device memory

Can't Find Firmware?

If firmware isn't available online, you'll need to extract it directly from the device using hardware methods (UART, JTAG, SPI flash dump). See the Hardware Hacking section.

Reconnaissance Checklist

Physical & Documentation

  • ☐ Record model number, serial, FCC ID
  • ☐ Look up FCC ID for internal photos
  • ☐ Find user manual and documentation
  • ☐ Search for known vulnerabilities (CVEs)
  • ☐ Check for default credentials online

Network

  • ☐ Identify device IP and MAC address
  • ☐ Full port scan (TCP and UDP)
  • ☐ Service version identification
  • ☐ Capture network traffic
  • ☐ Identify cloud endpoints contacted

Ecosystem

  • ☐ Download and analyze mobile app
  • ☐ Enumerate cloud API endpoints
  • ☐ Identify third-party integrations
  • ☐ Locate firmware download source
  • ☐ Map all communication protocols used

Related Topics

IoT Pentesting

Protocol Analysis

Nmap Cheatsheet
← Back to IoT Overview Next: Protocols →