Vulnerable IoT Labs

🧨 Vulnerable IoT Labs & Simulations

1. Damn Vulnerable IoT Device (DVID)

  • What it is: A purposely vulnerable IoT firmware emulation environment.

  • Covers: Web interface flaws, misconfigured services (like Telnet, FTP), weak credentials.

  • Emulates real embedded Linux firmware.

  • GitHub: https://github.com/davidbombal/dvid

2. DVIA-v2 for IoT (Coming Soon)

3. IoTGoat (OWASP Project)

  • What it is: OWASP’s official vulnerable IoT firmware image.

  • Focus: Real IoT flaws including default creds, open services, insecure protocols.

  • Includes: Config issues, OTA vulnerabilities, cloud misconfigs.

  • GitHub: https://github.com/OWASP/IoTGoat

4. RouterSploit + Custom Firmware

  • What it is: A framework like Metasploit but for embedded devices and routers.

  • Combine with:

    • Emulated firmware (e.g., from D-Link, TP-Link, Netgear)

    • QEMU or Firmadyne

  • GitHub: https://github.com/threat9/routersploit

5. Attify IoT Pentesting Workshop Labs

  • Labs from one of the best-known IoT security companies.

  • Covers: Firmware extraction, UART, SPI, mobile app exploitation, BLE hacking.

  • Bonus: Companion to the Attify OS (preconfigured pentesting distro).

  • Link: https://github.com/adi0x90/attify-os

⚙️ Tools & Frameworks for IoT Pentesting

Tool
Use Case

Binwalk

Extract and analyze firmware images

Firmware Analysis Toolkit (FAT)

Automates emulating Linux-based firmware

Firmadyne

Full Linux firmware emulation for dynamic testing

Frida / Objection

Mobile apps that interface with IoT devices

Ghidra / IDA Free

Reverse engineering binaries in firmware

MQTT-Spy / Mosquitto

Test insecure MQTT communication

BLEah / Gattacker

Bluetooth Low Energy fuzzing

Shodan / Censys

Find real-world exposed IoT devices (for research only!)

USBlyzer / Logic Analyzers

Hardware comms analysis (USB/UART/SPI)

🧪 Emulated IoT Testing Platforms

🔹 Firmwalker

🔹 Qiling Framework

🔹 IoT-Analyzer

🧱 Hardware Pentesting (If You Have Real Devices)

Interface
Tools

UART

TTL-to-USB adapter, screen/minicom

JTAG

JTAGulator, OpenOCD

SPI Flash

Bus Pirate, Flashrom

SD Cards

Use dd + hex editors to dump and analyze partitions

Note: You can practice on old routers, IP cameras, or even smart light bulbs.

🌐 Online Platforms for IoT Pentesting

🔹 TryHackMe – “Smart Devices” Room

🔹 Hack The Box – IoT Challenges

  • Occasionally releases IoT-specific boxes with embedded services.

  • Good for firmware cracking, reverse engineering, and C2 logic.

  • https://hackthebox.com

🔹 IoT Security Foundation Labs (Free Resources)

🧭 IoT Pentesting Learning Path (Structured)

Phase
Focus
Resources

🔹 Phase 1

Firmware analysis (static)

Binwalk, Firmwalker, IoTGoat

🔹 Phase 2

Firmware emulation

Firmadyne, FAT, QEMU

🔹 Phase 3

Network attack surface

Nmap, MQTTScan, RouterSploit

🔹 Phase 4

Hardware interfaces

UART, SPI, JTAG practice

🔹 Phase 5

Mobile & BLE testing

Frida, BLEah, mobile client analysis

🔹 Phase 6

Cloud / API abuse

TryHackMe, Shodan IoT devices

🔹 Phase 7

Reporting & mitigation

OWASP IoT Top 10, CVE mapping

6. ExplIoT

  • What it is: Modular framework for IoT attack automation.

  • Covers: BLE fuzzing, MQTT testing, UPnP attacks, SSDP enumeration, Zigbee.

  • Good for: Building and executing repeatable test cases across multiple IoT protocols.

  • GitHub: https://github.com/ExplIoT/expliot

7. CIRCL’s IoT Sandbox

8. IOT-SEED Labs

9. MIRAI IoT Honeypot Lab

10. WiFi Hacking IoT Scenarios

  • Tools like Wifiphisher, airgeddon, and EvilAP simulate rogue AP attacks common in IoT onboarding.

  • Practice attacking:

    • Smart plugs

    • WiFi cameras

    • ESP8266/ESP32 boards

🔍 Real IoT Firmware Sources for Reverse Engineering

Want to practice on real, in-the-wild firmware? Here’s where to legally get them:

Source
What It Offers

Firmware Archive (Firmadyne dataset)

2000+ real firmware images

IoT Inspector Firmware DB

Publicly shared firmwares, linked with CVEs

OpenWRT & DD-WRT

Open-source router firmware

Vendor FTPs (D-Link, TP-Link)

Many still expose firmware archives online

Firmware Analysis Challenge (by CMU)

RE + analysis on captured IoT firmware

⚔️ Real Exploits & Attack References

Source
Use Case

Exploitee.rs

Huge collection of real IoT exploits

CVE-Details (IoT filter)

Vulnerabilities in specific models

FullDisclosure / Packet Storm

Zero-days and older IoT firmware exploits

🛠️ Advanced IoT Pentesting Tools

Tool
Purpose

Wireshark with Zigbee dissector

Sniff Zigbee traffic (requires radio)

RFcat + Yardstick One

Radio-based attacks (Sub-GHz)

HackRF + SDRSharp

Replay and fuzz RF signals from smart home devices

Ghidra + Binwalk + QEMU combo

Reverse, extract, emulate firmware images

Bettercap

Man-in-the-middle over BLE, WiFi, and even Ethernet

MQTTSA

MQTT Security Auditor for fuzzing and misconfig detection

Zigbee2MQTT logs

For capturing and fuzzing Zigbee payloads

📦 IoT Hardware That’s Great for Practice

Device
Practice Focus

ESP8266 / ESP32 dev boards

Flashing firmware, OTA abuse, WiFi onboarding

TP-Link routers (older models)

Web exploits, backdoor analysis

Wyze or D-Link IP cams

Reverse engineering, Telnet/FTP abuse

Smart plugs (Tuya-based)

Cloud APIs, mobile app sniffing

BLE-enabled fitness trackers

MITM via GATT tools or BLEah

Zigbee smart bulbs

Zigbee protocol fuzzing and spoofing

🧭 Advanced Learning Path for IoT Pentesting

Phase
Topic
Tools & Labs

1

🔍 Firmware Recon

Binwalk, Firmwalker, Ghidra

2

🛠️ Emulation

Firmadyne, QEMU, FAT

3

🌐 Network Enumeration

Nmap, MQTTSpy, Shodan

4

📡 Radio/Protocol Attacks

HackRF, Yardstick, Wireshark

5

📲 Mobile App + Cloud Abuse

Frida, Objection, APKTool

6

🧪 BLE & Zigbee

BLEah, Gattacker, Zigbee2MQTT

7

💻 Hardware Interfaces

UART/JTAG, SPI flash dumps

8

🔐 Secure Dev & Reporting

OWASP IoT Top 10 + SBOM review

PreviousToolNextRed Teaming

Last updated

Was this helpful?