Vulnerable IoT Labs

🧨 Vulnerable IoT Labs & Simulations

1. Damn Vulnerable IoT Device (DVID)

  • What it is: A purposely vulnerable IoT firmware emulation environment.

  • Covers: Web interface flaws, misconfigured services (like Telnet, FTP), weak credentials.

  • Emulates real embedded Linux firmware.

  • GitHub: https://github.com/davidbombal/dvid

2. DVIA-v2 for IoT (Coming Soon)

3. IoTGoat (OWASP Project)

  • What it is: OWASP’s official vulnerable IoT firmware image.

  • Focus: Real IoT flaws including default creds, open services, insecure protocols.

  • Includes: Config issues, OTA vulnerabilities, cloud misconfigs.

  • GitHub: https://github.com/OWASP/IoTGoat

4. RouterSploit + Custom Firmware

  • What it is: A framework like Metasploit but for embedded devices and routers.

  • Combine with:

    • Emulated firmware (e.g., from D-Link, TP-Link, Netgear)

    • QEMU or Firmadyne

  • GitHub: https://github.com/threat9/routersploit

5. Attify IoT Pentesting Workshop Labs

  • Labs from one of the best-known IoT security companies.

  • Covers: Firmware extraction, UART, SPI, mobile app exploitation, BLE hacking.

  • Bonus: Companion to the Attify OS (preconfigured pentesting distro).

  • Link: https://github.com/adi0x90/attify-os

βš™οΈ Tools & Frameworks for IoT Pentesting

Tool
Use Case

Binwalk

Extract and analyze firmware images

Firmware Analysis Toolkit (FAT)

Automates emulating Linux-based firmware

Firmadyne

Full Linux firmware emulation for dynamic testing

Frida / Objection

Mobile apps that interface with IoT devices

Ghidra / IDA Free

Reverse engineering binaries in firmware

MQTT-Spy / Mosquitto

Test insecure MQTT communication

BLEah / Gattacker

Bluetooth Low Energy fuzzing

Shodan / Censys

Find real-world exposed IoT devices (for research only!)

USBlyzer / Logic Analyzers

Hardware comms analysis (USB/UART/SPI)

πŸ§ͺ Emulated IoT Testing Platforms

πŸ”Ή Firmwalker

πŸ”Ή Qiling Framework

πŸ”Ή IoT-Analyzer

🧱 Hardware Pentesting (If You Have Real Devices)

Interface
Tools

UART

TTL-to-USB adapter, screen/minicom

JTAG

JTAGulator, OpenOCD

SPI Flash

Bus Pirate, Flashrom

SD Cards

Use dd + hex editors to dump and analyze partitions

Note: You can practice on old routers, IP cameras, or even smart light bulbs.

🌐 Online Platforms for IoT Pentesting

πŸ”Ή TryHackMe – β€œSmart Devices” Room

πŸ”Ή Hack The Box – IoT Challenges

  • Occasionally releases IoT-specific boxes with embedded services.

  • Good for firmware cracking, reverse engineering, and C2 logic.

  • https://hackthebox.com

πŸ”Ή IoT Security Foundation Labs (Free Resources)

🧭 IoT Pentesting Learning Path (Structured)

Phase
Focus
Resources

πŸ”Ή Phase 1

Firmware analysis (static)

Binwalk, Firmwalker, IoTGoat

πŸ”Ή Phase 2

Firmware emulation

Firmadyne, FAT, QEMU

πŸ”Ή Phase 3

Network attack surface

Nmap, MQTTScan, RouterSploit

πŸ”Ή Phase 4

Hardware interfaces

UART, SPI, JTAG practice

πŸ”Ή Phase 5

Mobile & BLE testing

Frida, BLEah, mobile client analysis

πŸ”Ή Phase 6

Cloud / API abuse

TryHackMe, Shodan IoT devices

πŸ”Ή Phase 7

Reporting & mitigation

OWASP IoT Top 10, CVE mapping

6. ExplIoT

  • What it is: Modular framework for IoT attack automation.

  • Covers: BLE fuzzing, MQTT testing, UPnP attacks, SSDP enumeration, Zigbee.

  • Good for: Building and executing repeatable test cases across multiple IoT protocols.

  • GitHub: https://github.com/ExplIoT/expliot

7. CIRCL’s IoT Sandbox

8. IOT-SEED Labs

9. MIRAI IoT Honeypot Lab

10. WiFi Hacking IoT Scenarios

  • Tools like Wifiphisher, airgeddon, and EvilAP simulate rogue AP attacks common in IoT onboarding.

  • Practice attacking:

    • Smart plugs

    • WiFi cameras

    • ESP8266/ESP32 boards

πŸ” Real IoT Firmware Sources for Reverse Engineering

Want to practice on real, in-the-wild firmware? Here’s where to legally get them:

Source
What It Offers

Firmware Archive (Firmadyne dataset)

2000+ real firmware images

IoT Inspector Firmware DB

Publicly shared firmwares, linked with CVEs

OpenWRT & DD-WRT

Open-source router firmware

Vendor FTPs (D-Link, TP-Link)

Many still expose firmware archives online

Firmware Analysis Challenge (by CMU)

RE + analysis on captured IoT firmware

βš”οΈ Real Exploits & Attack References

Source
Use Case

Exploitee.rs

Huge collection of real IoT exploits

CVE-Details (IoT filter)

Vulnerabilities in specific models

FullDisclosure / Packet Storm

Zero-days and older IoT firmware exploits

πŸ› οΈ Advanced IoT Pentesting Tools

Tool
Purpose

Wireshark with Zigbee dissector

Sniff Zigbee traffic (requires radio)

RFcat + Yardstick One

Radio-based attacks (Sub-GHz)

HackRF + SDRSharp

Replay and fuzz RF signals from smart home devices

Ghidra + Binwalk + QEMU combo

Reverse, extract, emulate firmware images

Bettercap

Man-in-the-middle over BLE, WiFi, and even Ethernet

MQTTSA

MQTT Security Auditor for fuzzing and misconfig detection

Zigbee2MQTT logs

For capturing and fuzzing Zigbee payloads

πŸ“¦ IoT Hardware That’s Great for Practice

Device
Practice Focus

ESP8266 / ESP32 dev boards

Flashing firmware, OTA abuse, WiFi onboarding

TP-Link routers (older models)

Web exploits, backdoor analysis

Wyze or D-Link IP cams

Reverse engineering, Telnet/FTP abuse

Smart plugs (Tuya-based)

Cloud APIs, mobile app sniffing

BLE-enabled fitness trackers

MITM via GATT tools or BLEah

Zigbee smart bulbs

Zigbee protocol fuzzing and spoofing

🧭 Advanced Learning Path for IoT Pentesting

Phase
Topic
Tools & Labs

1

πŸ” Firmware Recon

Binwalk, Firmwalker, Ghidra

2

πŸ› οΈ Emulation

Firmadyne, QEMU, FAT

3

🌐 Network Enumeration

Nmap, MQTTSpy, Shodan

4

πŸ“‘ Radio/Protocol Attacks

HackRF, Yardstick, Wireshark

5

πŸ“² Mobile App + Cloud Abuse

Frida, Objection, APKTool

6

πŸ§ͺ BLE & Zigbee

BLEah, Gattacker, Zigbee2MQTT

7

πŸ’» Hardware Interfaces

UART/JTAG, SPI flash dumps

8

πŸ” Secure Dev & Reporting

OWASP IoT Top 10 + SBOM review

PreviousToolNextRed Teaming

Last updated

Was this helpful?