CEH Lab Manual IoT and OT Hacking Module 18 (CoH Lab Manual Page 1618oN KEY © Vatuable infomation A Tescyour Ianowlede B Weberercise 1D Workbook review Tools ‘demonstrated in this lab are available in EACEH- ToolsiCEHV11 Module 18 loT and (OT Hacking (CoH Lab Manual Page 1619 Module 18 toT and OF Hacking loT and OT Hacking 16T amd OT device hacking is performed to compromise smart devices such as CCTV cameras, automobiles, printers, doar lacks, washing machines, te. to gain unauthorized access fo network resources as mell as 1oT and OT devices. Lab Scenario ‘The significant development of the paradigm of the Internet of Things (IoT) is contributing to the proliferation of devices in daily life. From smart homes to automated healthcare applications, IoT is ubiquitous. However, despite the potential of IoT to make our lives easier and more comfortable, we cannot underestimate its vulnerability to cyber-attacks. lol’ devices lack basic security, which makes them prone to various eyber-attacks. ‘The objective ofa hacker in exploiting IoT devices is to gain unauthorized access to users’ devices and data. A hacker can use compromised Io devices to build an army of botnets, which, in tum, is used to launch DDos attacks. ‘Owing to a lack of security policies, smart devices are easy targets for hackers who can compromise these devices to spy on users’ activities, misuse sensitive information (such as patients’ health records, ete), install ransomware to block access to the devices, monitor victims? activities using CCTV cameras, commit credit-card-rclated fraud, gain access to users’ homes, or recruit the devices in an army of botnets to carry out DDoS attacks As an ethical hacker and peneteation tester, you must have sound knowledge of backing Io and OT platforms using various tools and techniques. ‘The labs in this module will provide you with real-time experience in performing footprinting and analyzing traffic between loll’ and OTT devices. Lab Objectives "The objective of the lab is to perform Io and OT platform hacking and other tasks that include, but are not limited to: * Performing IoT and OT device footprinting, Capturing and analyzing traffic between Io’ devices Lab Environment "To carey our this lab, you need: Windows 10 virtual machine © Ubuntu virtual machine Web browsers with an Internet connection Administrator privileges to run the tools ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Lab Duration Time: 30 Minutes Overview of loT and OT Hacking Using the lol’ and O'T hacking methodology, an attacker acquires information using techniques such as information gathering, attack surface area identification, and vulnerability scanning, and uses such information to hack the target device and newwork. The following are the various phases of To'T and OT device hacking: * Information gathering © Vulnerability scanning * Launch attacks © Gain remote access © Maintain access Lab Tasks Ethical hackers or pen testers use numerous tools and techniques to hack the target JoT and OT platforms. Recommended labs that will assist you in learning various ToT platform hacking techniques include: Perform Footprinting using Various 1 1 | Pootprinting Techniques q 1 Gather Information using, Online Footprinting Tools y ‘ 2_| Capture and Analyze loT Device Trafic v 7 2.1 Capnure and Analyze lol Traffic wing Wireshark y ‘ Remarks EC: Council nas prepared « considered amount of lab exercises for stadent to practice during the 5 day class ana a thc fre time to enhance thei knowledge an sl ‘Core - Lab exercise’) Sedny cass. tatked undee Core ate recommended by EC-Counel to be practised ding che ‘0Setestudy - Lab excises) marked under self-study is for students to practise at thee fee time. Stas to access the addtional ab exercces can be found in the Ses page of CEHvII volume 1 book. ‘*¢0iLabs - Lab exercise(s) marked und iLabs are avaiable in ous Labs solution. Labs is a lowd-based ‘irl lib easizonment preconfigured with vulnembies, exploits, tools and sceips, and ean be accessed from anywhere with an Intemet connection. If yoss ar interested to len mare abot ou Labs soktion, please contact your taining center or ist hp:/ abs ceconmclong, (CoH Lab Manual Page 1620 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1621 Module 18 toT and OF Hacking Lab Analysis Analyze and document the results related to the lab exercise. Give your opinion on ‘your target’ security posture and exposure. PLEAS! TALK TO YOUR INSTRUCTOR IF YOU HAVE QUEST RELATED TO THIS LAB ons ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.ON KEY © Vataie Information A Test Your Knowledge BL Web trerie BD Workbook Review © Tools demonstrated in this lab are available in EACEH- ToolsiCEHvt1 Module 18 loT and (OT Hacking (CoH Lab Manual Page 1622 Module 18 toT and OF Hacking Perform Footprinting using Various Footprinting Techniques Ethical hackers and penetration testers are aided in footprinting by rarions tools that ‘make information gathering an easy task. Lab Scenario Asa professional ethical hacker or pen tester, your first step is to gather maximum information about the target IoT and OT devices by performing footprinting through search engines, advanced Google hacking, Whois lookup, etc. ‘The first step in IoT and OT device hacking is to extract information such as IP address, protocols used (MQTT, ModBus, ZigBee, BLE, 5G, IPv6LoWPAN, etc), open ports, device type, geolocation of the device, manufacturing number, and manufacturer of the device. Lab Objectives © Gather information using online footprinting tools Lab Environment To carry out this lab, you nced: *® Windows 10) virtual machine = Web browsers with an Intemet connection ‘Administrator privileges to run the tools Lab Duration ‘Time: 15 Minutes Overview of Footprinting Techniques Footpsinting techniques are used to collect basic information about the target loT and OT platiorms to exploit them. Information collected through footprinting techniques, ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking includes IP address, hostname, ISP, device location, banner of the target lo'l' device, FCC ID information, certification granted (o the device, Lab Tasks etc. TASK 1 Gather Information using Online Footprinting Tools Note: In this task, we will focus on performing footprinting on the MQTT protocol, ‘which is a machine-to-machine (M2M)/“Internet of Things” connectivity protocol Ic is useful for connections with remore locations whe required and/or nctwork bandwidth is ata peomium. small code foorprint is ‘You can also select a protocol or device of your choice to perform footprinting on it. 1, Tur on the Windows 40 virtual machine and login with the credentials ‘Admin and PaS$wOrd. Borasn a 2. Open any web browser (here, Mozilla Firefox), type — httpsi/www.whois.comiwhois! in the address bar, and press Enter. Perorm Wile. he whee anata Lola fe toners pe wennoeal-openang ne search field and click SEARCH. Note: Oasis is an organization that has published the MQTT v5.0 standard, which represents a significant leap in the refinement and capability of the 5 theinfmainn —- MESSAEINg protocol that already powers Lo. seganing he tng lit and OT devon ex be acgpied ingots — fe) > @ [DB tpn/nmnhancom coin oes chs ‘Whos man kay, SrmalGeuchctng [BY Whois Sebo seach cane hee tan cl sn te Ss brn > oasis-open.org Uppatd 1 second age © > Domain Information Domai oasis operons Registra DNC Holdings. ne RegisteredOn: 1998-03-04 Expires On: 2021.03.03, UndatedOn: ——-202001-18 State: clientDeleteProtibited thientIransferProhibited clienpdateProhibited NameServers: dns2stabletransitcom dineltabletransitcom 3, Registrant Contact Deganzation: OASIS Open state MA Country us 2 Who lop son: Donn Iorrato, Regina Cone (CeH Lab Manual Page 1624 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking O om Updated bate: ‘he Holdings, Ene ntact Email: atwan{directnic.com us: cLientDelateprchibived hteps://icann.o: clientrranstereronipived ‘organization: OASIS Open URL of the LenWN whois inaccuracy Comptaint Form https: //sawu.Icann.ora/wlet/ 35> Inst indate of WHOIS aatanase: 2020-06 20910:99:218 cee er more Anteraation on Whole status codes, please visit netpe://iean.org/e ‘ge 11.3 Wha oop ead Ree Ws Dat ‘Note: Whois lookup reveals available information on a hostname, IP address, oF domain, 5. Now, press GtH#T to open a new tab, (ype httpsiwww.exploit- ‘db.com/google-hacking-database in the address bar, and press Enter. 6. The Google Hacking Database page appears; type SCADA in the Quick ‘Search ficld and press Enter. hhe result appears, which displays the Google dork selated to SCAD. shown in the sereenshot. (CoH Lab Mana Page 1625 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1626 Module 18 toT and OF Hacking Google Hacking Database wt (efoto oe) ° Fg 14 Googe aking Daas rik 8. Now, we will use the dorks obtained in the previous step to query results in Soogle 9. Pross Gtel#T 10 open a new tab, type https:ihwww.google.com in the address bar, and press Enter. 10, In the search field, type “login” intitle:"scada login” and click the Google Search button. Note: By default, the tol is cloned to the root directory. © & Https//wengoogecom Google “login® intitle:"scada login” Fm Feeling Lucky India Advertising Business About How Search works Fee LL Nevigtigg he dod er ig the Filer coment ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking 11. ‘The search result appears; lick any link (here, SCADA = seamtec SCADA login © er ie EFS BO Bhs googlecom/ss aK ov “ooh nseads loge so anc SCADA og arma Online Scada Login - Alvin Sofware Online Scada Login SCADA Login Fipse L.@SCADA log page seach dt ‘Note: Advanced Google hacking refers to the art of ercating complex search ‘engine queries by employing advanced Google operators to extract sensitive or hidden information about a target company from the Google search results. 12, The seamtec SCADA login page appear, as shown in the sereenshot Note: In the login form, you can brute-force the credentials to gain access to the target SCADA system. (CoH Lab Manual Page 1627 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1628 seamtec SCADA login Password 13, Similarly, you ean use advanced search operators such as intitles"index of" seada to scarch sensitive SCADA directories that are exposed on sites. 14, Now, in the browser window, press Ctrl to open a new tab, type https:/account.shodan.ioflegin in the address bar, and press Enter 15. The Login with Shodan page appears; enter your username and password in the Username and Password fickls, respectively; and click Login. Note: Go to the Register option to register yourselfif you do nothave an existing account, a ig. Login wth Sosa pase Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking 16, ‘The Account Overview page appears, which displays the account-related information, ‘Note: Ifthe Would you like Firefox to save this login for shodan.io? notification appeats, click Don't Save. 4c Shodan in the top-left comer of the window. Fee 1.19: Aceon Overs page (CoH Lab Manual Page 1629 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking 18. ‘The Shodan main page appears; type port=48B3 in the address bar and press Enter. Note: Port 1883 is the default MQTT port; 1883 is defined by IANA as MQTT over TCP. a Muerte l* meme AY Create a Free Account rae mush (CoH Lab Manual Page 1630 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking 19. ‘The result appears, displaying the list of IP addresses having post 1883 enabled, as shown in the screenshot. 20, Click on any IP address to view its detailed information. © mpsihmrnshodaniazescnau 367,374 ae (CoH Lab Manual Page 1621 Soden Montor 38.244.152.54 1 nese 35,244.221.210 esau 34.96.68.230 nein 122.51.161.24 oe 35.227.209.215 ip 101 Pot ek pag ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1632 Module 18 toT and OF Hacking 21. Detailed results for the selected IP address appears, displaying information regarding Ports, Services, Hostnames, ASN, cic. as shown in the screenshot. ur LL12 Dea iaormaian 22. Similarly, you can gather additional information on a target device using the following Shodan filters: = Search for Modbus-enabled ICS/SCADA systems: pore502 "Search for SCADA systems using PLC name: “Schneider Electric” "Search for SCADA systems using geolocation: SCADA Country"US" 25. Using Shodan, you can obtain the details of SCADA systems that are used in water treatment plants, nuckar power plants, IIVAC systems, electrical transmission systems, home heating systems, ete. 24. This concludes the demonstration of gathering information on a target device using. various techniques such as Whois lookup, advanced Google hacking, and Shodan search engine, 25, Close all open windows and document all the acquired information. 26, ‘Turn off the Windows 40 virtual machine, ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking Lab Analysis Analyze and document all the results obtained in the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS ABOUT THIS LAB Int eens sete WyYes ONo Platform Supported Classroom MiLabs (eh tab Manual Pape 1633 tical Making nd Countermeasures Copyiht © by EE ounell "Al RightsReserved. Reproduction fSrcty Prohibited.© Vatuabie Information PF Toxo Kaowedge Bi Web Frercise 2D Workbook Re © Toots ‘demonstrated in this lab are available in EACEH- ToolsiCEHVt1 Module 18 loT and (OT Hacking (CeH Lab Manual Page 1624 Module 18 toT and OF Hacking Capture and Analyze loT Device Traffic IoD refers to a network. of devices having an IP address as well as the capability to ssonse, collect, and send data using embedded sensors, conmmsmication hardvare, and processors, Lab Scenario As a professional ethical hacker or pen tester, you must have sound knowledge to capture and analyze the traffic between Io’ devices. Using various tools and techniques, you can capture the valuable data flowing between the IoT device analyze it to obtain information on the communication protocol used by the Io'l devices, and acquire sensitive information such as credentials, device identification numbers, ete. Lab Objectives © Capture and analyze IoT traffic using Wireshark Lab Environment ‘To carry out this lab, you need: # Windows 10 vietual machine Ubuntu vistual machine = Web browsers with an Intemet connection Administrator privileges to run the tools Lab Duration ‘Time: 15 Minutes Overview of loT and OT Traffic Many oT devices such as security cameras host websites for controlling or configuring cameras from remote locations. These websites mostly implement the insecure HTTP protocol instead of the secure HTTPS protocol and are, ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking hence, vulnerable to various attacks. If the cameras use the default factory credentials, an attacker can easily intercept all the traffic lowing between the camera and web applications and further gain access to the camera itself. Attackers can use tools such as Wireshark to intercept such traffic and decrypt the Wi-Fi keys of the target network. Lab Tasks = TASK 1_ Capture and Analyze IoT Traffic using shark Here, we use Wireshark to capture and analyze traffic between IoT devices. 1, Turn on the Windows 10 and Ubuntu vistual machines. 2 Wiceshackina 2, In the Ubuntu virtual machine, click on the Ubuntu button, type toor in the fcc atopeavnie Password ficld, and press Enter to sign in to the machine. packet sale Ie feces nework rouble aa, software and emanations proce ercpenenn and eheanin Its uel iden the taper OS aoa swift esponse sencratal fo the ang tmoche the moc mai Se 3. In the left pane under the Activities list, scroll down and click the recmiat ls oss en herent ind: usta nao siete om om "Al RightsReserved. Reproduction fSrcty Prohibited.4. In the terminal window, type sudo snap install mqtt-explorer and press Btasm tis Enter to install the MQTT Explorer tool 1 Eanlorer Note: MQIT Explorer is a comprehensive MQTT client that provides a 7 structured overview of your MQTT topics and simplifies working with devices/services on your broker. 5, In the [sudo] password for ubuntu option, enter toor as the password and press Enter. eens ere TIOrG fron channel Trask 6. After the installation is complete, switch to the Windows 10 virtual machine and login with the credentials Admin/Pa$SwOrd. 7. Open the Wireshark application and double-click the available interface (here, EthernetO) to start capturing the packets Launch Wireshark 8. Leave the Wireshark window running. 9. Switch back to the Ubuntu virtual machine. In the terminal window, type matt-explorer and press Enter io launch the MQTT Explorer tool eer 5 Rte ‘teexplorer 0.3.5 from Thonas Nordquist Seen § [natt-exp) ubsertbin ci corereyitet) gu 2.14 AWS CL esa Susy 10. The MQTT Explorer tool initializes and the MOTT Explorer main window appears, as shown in the screenshot. Birask 4.3 Launch MATT Eee 11. In the MTT Connection window, click CONNECT. ‘et Lb Manual Page 1636 Ethical Mackng and Countermeasures Copa © by E-Coumel "Al RightsReserved. Reproduction fSrcty Prohibited.@ m= grr conecson retecpeg Ea at ete. Severe ADVANCED SQIT Exp wink Fes 12. MQTT Explorer stasts establishing a connection with the devices mentioned in the left pane, as shown in the screenshot. ‘toto = ots QUT Eager enemies (CoH Lab Manual Page 1637 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking 15. Wait for some time, and then click DISCONNECT in the top section of the MATT Explorer window to disconnect the tool. 14, Switch to the Windows 40 virtual machine. 15, In the Wireshark window, click the Stop (ll) button to stop capturing the ides Tee Hep aaan Tie pach vccage locatesrester us palishmstge(Ioales/restef} fits palo mctge [Ioan Peo : 1Sut paitenvectge[Ioeiee res : Sut positon vestge [Ieee rest iin aeneaore a 154 foto Pessge (Loess rest fae nao ieaeaes 1:8 Pls Mestge (loainess/reste/e tn inne : {bts ella estpe [lees restr SSS dus allah weccage[locatec/reser 154 paisa vestge (secures se iso vessgy(Lncalessester Five 217 St kt pain Wi, 16. Now, in the Apply a display filter fcld, ryxpe matt and press Enter to display only the MQTT protocol packets. A Giemad Ble Est Yew Go Capture raze Sttsics Telephony Wreess Tools Help 4aec@BSRReosttseaaae ir 21 Fesng MOTT pron eae 17. You can observe packets such 2s Connect Command, Connect Ack, ‘Subscribe Request, Subscribe Ack, si] Publish Message, as shiown in the screenshot. (CoH Lab Manual Page 1638 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking Ble Ei en Ge Copan gran ces Tuapary Weds Tok Sc@ DSRB QeoeF 25 abana 15 Sescrive Request (543364) (4s So iniei09 to Sacre Sok Cisstee) manne ste pbitn ressage (Docieobeites notte) Fag 219: poet aces 18, Click on the Conneet Command packet: In the lower section of the window, click to expand the Transmission Control Protocol ari] MQ Telemetry Transport Protocol nodes. 19. Under the MQ Telemetry Transport Protocol nodes, you can observe details such as Protocel Name, Version, and Client ID. ‘Note: ‘The MQTT protocol establishes a connection between clients through a broker. A CONNECT command is sent to initiate a connection from the client to the broker. After the connection is established, it remains active until a disconnect command is sent from the client. ‘Some of the headers of the CONNECT command are given below: * Header Flags: Contains information regarding the MQUT control Packet type * Connect Flags: Contains parameters specijing the behavior of the MQIT connection * Clean Session: Indicates whether the client wants «0 establish a persistent connection with the broker or not * Client ID: Indicates a unique identifier for each MQTT client connecting, toan MQTT broker (CoH Lab Manual Page 1639 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1640 Module 18 toT and OF Hacking fa Yim So Spt indy Sie tom Wins Tack 8p sBaaag [serene ners 3 2 (lative seouence suber) Inewe sequence mre: 37 "(relative segue ruber)) chnonedpeent ten! 2 (relative ack mater) ‘ior van = Mauer cangtns 20 beer (3) os outta, 8) [ealertsted window size: 64248) [idncon size salung factors 2 (no nine saling wz) Geckoun Oxia (omerseies] [eectaue Status: Umer] Uren pointers © [seg arate] > tristan 1 poyloed (36 bytes) Pbcecal nae Lengths 4 Protocs) haves AGT erston: parr vaste (8) > Gamect Flags Or02, Gos Levels At most ance delivery (Fire and Forget, Cleon Session ‘Ciene a9 Lengths 22 Vee 21:0 Gone Coma pk 20, Click on the Connect Ack packet. In the lower section of the window, lick to expand the Transmission Control Protocol, MG Telemetry Transport Protocol, anil Header Flags nices. 21. Under the MQ Telemetry Transport Protocol nodes, you can observe details such as Header Flag and Return Code. Note: The broker sends the Connect Ack packet on receiving a Connect ‘command request from the client. ‘Some of the headers in the Connect Ack packet are given below: * Header Flags: Contains information regarding the MQUT control Packet type Session Present: Indicates the session between the broker and client; Bit (is the Connection Ack bit in the session present flag * Return Code: ‘The values and responses of the setum code are summarized in the table below ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Trask te Analyze Subscribe Request Packet (CoH Lab Manual Page 1682 > Eaters at, secs rare e7Ytle (n:Sosese?!a8), bets vmware asrcbs (eae! Module 18 toT and OF Hacking Retum Code Return Code Response 0 Conncetion Accepted 1 ‘Connection Refused, unacceptable protocol version 2 ‘Connection Refused, identifir rejected 3 ‘Connection Refused, server unavailable 4 ‘Connection Refused, bad credentials 5 Connection Refused, not authorized nsize fic: Tephory Wes Teele Hep rave 270: 68 byes on wire (6Hb bts), 69 bytes captured (a00 BS) on interfoce 0 {serene dnaeee 3) Fate a {test sequence unr: 5. (celacive seen mer) eemocegent nonbers 37 “(relative eck munber) nace Length: 20 beer (3), sro (5h, C0) {eaveniaes winu s8" 64200) [Mindow size scaling Factor =? (vo windy scslingwsed)] heaves aces (anerstsee) {erecta Stes: Umer ified] > (Serace only Etinertepc) plod (4 bytes) Westage type: Comers ack (2) Fig 2111: Connect Command picket on the Subscribe Request packet, In the lower section of the window, click to expand the Transmission Control Protocol, MQ Telemetry ‘Transport Protocol, and Header Flags nodes. 23. Under the MQ Telemetry Transport Protocol nodes, you can observe details such as Msg Len, Message Identifier, ancl Topic Length. Note: ‘Ti receive a relevant message, a client sends a SUBSCRIBE message to an MQIT broker. ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking ‘Some of the headers in the Subseribe Request packet are given below: * Header Flags: Contains information regarding the MQTT control Packet type * Message Identifier: Identifies a message in a message flow between a client and a broker * Topic and QoS Level: A subscription is a pair ofa topic filterand a QoS level; the topic defines a subject of interest on which the client would Fike to get messages * Payload: Contains a list of subscriptions, fle ae ew Se Gipne Siar Ster Teephos eeer Ten eb a2@ GDRB ieostsSeaaan {Serete inaeee 9) [HC Segent ev: 21] Siqunce raters 27" (relative cequnce mater) [Nest sequence mnier: 32 (Celative secuence rum) ne tocar! S| _(selative see unser) Cents 20 bytes (8) fevlerlatea window sles 64238] [nindon ice sealing factors “2 (00 windon scaling wid)] Flags Orf2,Pesenge Types Subscribe muon Te cenge 2 Tepte: # gmc 212 24, Click on the Subseribe Ack packet. In the lower section of the window, click to expand the Transmission Control Protocol, MG Telemetry Transport Protocol, and Header Flags nodes. 25, Under the MQ Telemetry Transport Protocol noikes, you! can observe details such as Msg Len and Message Identifier. Note: The MQIT broker confirms subscription by sending an acknowledgment back to the client using a SUBACK message (CoH Lab Manual Page 1682 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking ‘Some of the headers in the Subseribe Acknowledgement packer are given below: * Header Flags: Contains information regarding the MQTT control Packet type "Message Identifier Idcatifies a message in a message flow between a client and a broker * Payload: Contains alist of turn codes "Return Code: For each Topic/Qos pair received, a return is sent by the MQITT broker in the SUBSCRIBE message; the return code is in line with the QoS level in the case of a success “The values and responses of the return code are summarized in the table below: Return Code Retum Code Response 0 Success ~ Maximum QoS 0 1 ‘Success - Maximum QoS 1 2 ‘Success - Maximum Qos 2 128 Failure Fe fit Yew Ge Spt bye Sais Tephom fc Toc the ac@USREQeoatsSeaaan (Serane ingens 21 (Fee Segre en! 5 Steuer somer! (relative eagutne muber) {lest sequence manbers 10. (elative Sequence rutber}] ictnovetgnert saber: 98 (celmive ot neste) fier nn near tegen: 29 bee () Plage! eeue (ose, ex) {ehiceisee wae suse: ean) {anata ive cating facto (ne wlndonscang sed) heck: ait) (erste) {ehectsue Seatux: Uver ified] Orgone sneer [Ste/tceonaly3] > [rseezaee] To peplo (5 bytes) igme21.13 Sib Ackpulet (CoH Lab Manual Page 1683 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1684 Module 18 toT and OF Hacking 26. Click on any Publish Message packet. In the lower section of the window, click to expand the Transmission Control Protocol, MQ Telemetry Transport Protocol, and Header Flags nodes. 27. Under the MQ Telemetry Transport Protocol nodes, you can observe details such as Msg Len, Tople Length, Topic, and Message. Note: After establishing a successful connection with the MQTT broker, the MQTT clent can publish messages. “The headers in the Publish Message packet are given below: "Header Flags: Contains information regarding the MQUT contsol packet ype = DUP flag: If the DUP flag is 0, it indicates the first attempt at sending this PUBLISH packer; ifthe flags 1, it indicates a possible re-attempt at sending the message * QoS: Determines the assurance level ofa message * Retain Flag: If the retain flag is set to 1, the server must store the message and its QoS, so it can eater to future subscriptions matching the topic * Topic Name: Contains a UTP-8 string that can also inchude forward slashes when it needs to be hierarchically structured + Message: Contains the actual data to be transmitted * Payload: Contains the message dhat is being published 28, Publish Message can be used to obtain the message sent by the MQTT client LHe Et Ver Gs pte fine Sebnee Tepes Mees Teo te @DSRB ieost eS Eaaan (emrreasaariotrefneyy [Rest], lion fesege [es [Rete/andect twp 0) Sie bien Yestge [eheceia/a07/ntina/as050 15te rablin Ysane [check/ 297 ie 9570 etary (Fine an Fare), Wil De Lets at ese one detivery (ire amt forge) (8) Topi ange 20 Top: Se/nbesees/ctice gee 21.14 Pb Meno packer ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking 29. Click on any Publish Aek packet. In the lower section of the window, cick o expand the Transmission Control Protocol, MQ Telemetry Transport Protocol, and Header Flags nodes. 50. Under the MQ Telemetry Transport Protocol nodes, you can observe details such as Msg Len and Message Identifier. Note: A Publish Ack (PUBACK) packet is the sesponse to a Publish Message (PUBLISH) packet. ie EGR Vins Go Cope nar Sts Teghony it Teo Hp DARE QeseTs 1536 Pelton Peeps (035 51 Tietyia Say ssnes ay sei.ae's Tt f85e ploy enone (as-na4-aet-nes-er-bs-t ‘Celine lavaneces a7 aee.ae‘a PQrr anus Plies renege (aa-tast-sent-mce-aue-emsd e215 Pah Ak pee, Brase ae 31. Click on any Publish Release packet. In the lower section of the window, — click to expand the Transmission Control Protocol, MQ Telemetry ‘Analyze Publish rt and Header axes. ‘Transport Protocol, Flags 19 32, Under the MQ Telemetry Transport Protocol nocles, you can observe details such as Msg Len, Message Type, Message Identifier. Note: A Publish Release (PUBREL) packets the response toa Publish Received (PUBREO) packet (CoH Lab Manual Page 1685 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking Ne Eat ew Go Coptre ae Seer Tepny ner Took ep =0@ GRRE WeseFeSeaaan 415i uslichseleace (2sns0e), uharetation Eo 1514 Polish Hessage(Mal freed Packet], Pblish Nes [fe tewery Tapert pretoc, Balto) lea Y heder Papas tt, Nesnge Type: Publish Release] woe tacage ays: Polich selene (0) vag igre 21.16 Pub Reka pact 35. Now, scroll down, look for the Publish Complete packet, and click on it. In Anatyse Posie the lower section of the window, click to expand the Transmission Control Complete Packet Protocol, MQ Telemetry Transport Protocol, and Header Flags nodes. 34. Under the MQ Telemetry Transport Protocol nodes, you can observe details such as Msg Len and Message Identifier. Note: The Publish Complete (PUBCOMP) packet is the sesponse to a Publish Release (PUBREL) packer. 6st View Go Cape Anse Sie Tphory Wir Tak wc@ UDRE QessTes Eagan gue 2117 Pb Oerplepket (CoH Lab Manual Page 1686 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking 35. Scroll down, look for the Disconnect Req packer, and click on it. In the lower tase itz. section of the window, click to expand the Transmission Control Protocol, ‘Analyze MQ Telemetry Transport Protocol, and Header Flags nodes. Disconnect Req 36. Under the MQ Telemetry Transport Protocol nodes, you can observe details Packet such as Msg Len and Message Identifier. 37. A disconnect message is the final control packet sent by the client to the broker. This indicates a clean disconnection by the client. TA Garena ik View Go Ciptse nee Ses THephery Wits Took Hp mao IPRE QeeeTsesaaan Ne tore Sameer poss seh He Stileat io ies ieee nT Rel ees [mpeelo) Pal mee oe Tielianse spp.05.9.217 Ie-iee.3 OT $25 lish Reape [oeyen/oct?),Pabsh Mean [ees (ae inte (ier Segment tev: 2] Sequence moor! St (elation enunnce soar) [less seaence nabers Go) (relative sequence natber)] ‘Sinonisdgent ruber: lezen (relative ack maser) fein acer cengnt 0 Bye: (5) ‘oie (os At) (colssstes wancow 282 6525) [stndoy size scing factors“? (vo wlndowscelng sed) Gheocuer eras fone [encchau Sttans Umer ified Urge pteters » (saviek says) > Prinses) 1 popten (bye) [Pov sees 2) “reapetype: Blscomect neq (22) pe 21.18 Dino ak pact 38. This concludes the demonstration of capturing and analyzing MQUT protocol packets. Here, we analyzed different processes involved in the communication between an MQTT dlicat and an MQTT broker using Wireshark. Understanding these metrics as well as the workflow can help you. in quickly identifying the MQTT-related issues. 39. Close all open windows and document all the acquired information, 40, "Tur off the Windows 10 and Ubuntu viral machines. (CoH Lab Manual Page 1687 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 18 toT and OF Hacking Lab Analysis Analyze and document all the results obtained in the lab exercise. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE ANY QUESTIONS ABOUT THIS LAB Tees etre Yes ONo Platform Supported Classroom WiLabs (eh tab Manual Page 1648 tical Making nd Countermeasures Copyiht © by EE ounell "Al RightsReserved. Reproduction fSrcty Prohibited.