Testing 1: WPS aircrack hacking

We are going to hack into the wifi using aircrack and Wifi Protected Setup. Using a virtual machine (Virtual Box) running Kali Linux OS, a router with WPS, and a Wireless Network Adapter capable of monitor mode, we are going to crack WPS. Once we have cracked the WPS, we will have access to the APs. We will then use Nmap to identify the devices and services available and capture the packets sent by esp8266.

Secondly, we are going to make use of the tool wpscrack.py to make the program executable (chmod +x wpscrack.py). 

​

We will scan the access point to attack and save its MAC address of it using the sudo command (sudo iwlist scan wlan0) and (ip link show wlan0 | awk '/ether/ {print $2}'). 

​

Subsequently, we will set our IoT device into monitor mode using (sudo airmon-ng start wlan0) and finally attack the access point using (wpscrack.py –iface mon0 –client <MAC address> –bssid <AP MAC address> --ssid <AP name > -v).

​
 

Testing 2: Wi-Fi packet sniffing, man in the middle

Once we are in the AP, we will use Nmap to identify the ESP8266 ($ nmap  [scan type...]  options  {target specification)).

​

After we have identified the ESP8266's IP address, we can use Wireshark to capture its packets, to decrypt the messages to identify the telegram handles used, through packets sent to AWS.

​

 

Testing 3: Wi-Fi Denial of service.

With Wi-Fi DoS, we can deny the users access to their locks, as it prevents the ESp8266 from communicating with telegram and AWS.

Since we have identified the Wi-Fi SSID and the IP address of the LockGitech, we can use a command to send the packet that makes the user inaccessible to a wifi network, type the below command.

aireplay-ng -0 <number of packets> -a <bssid of target network> -c <target client> <wifi name> 

bssid of target network = copy the BSSID of victim’s router.
Target client=paste the MAC address of the user, you want to disconnect specifically. (optional)
Wifi name = your adaptor name.

Now, we need to configure our channel.
Stop the network scanning. Press CTRL+C.
airodump-ng -c <broadcasting channel of router> -i  <wifi name>

To disconnect all users type the below command.
aireplay-ng -0 <number of packets> -a <bssid of target network> -c <target client> <wifi name>

This will send an authentication packet and make all users inaccessible to the wifi network.
Now, no user will have permission to connect with the network until we stop sending packets.

​

​

​

Testing 4: Brute force OTP  using Dictionary Attack.

 In this scenario, a brute force attack is conducted to get the OTP authentication number for the keypad system. The attack involves systematically testing combinations of passwords ranging from 000000 - 999999 and injecting them into Arduino to determine the OTP that was sent.

• Password Wordlist: Specify the path to the appropriate Numlist.

• Arduino Mega IP Address: [Arduino_IP]

hydra -P /path/to/password/Numlist.txt [Arduino_IP] http-post-form "/login.php:password=^PASS^:Invalid password"

Hydra submits HTTP POST requests to the keypad login page, varying the password parameter. The response "Invalid password" indicates unsuccessful authentication attempts, while successful authentication would lead to access granted.

 

 

 

Testing 5: RFID duplication method 

We will use the RFID duplication method to help us gain unauthorised access to the location with the digital lock. We can either intercept and capture the radio signals transmitted between the real RFID credentials and the RFID reader or use specialized hardware, such as flipper zero, to capture the data of a stolen RFID tag.

​

Once the data is captured, we will be able to extract the information stored on the RFID tag. We will then duplicate it on another RFID card, giving us unauthorized access to one of the factors of authentication