# IoT Hacking Stream ## Метаданные - **Канал:** The Cyber Mentor - **YouTube:** https://www.youtube.com/watch?v=K8VA23kmUJg ## Содержание ### [0:00](https://www.youtube.com/watch?v=K8VA23kmUJg) Segment 1 (00:00 - 05:00) it. So, let us know in chat if you are. Um, definitely give a shout out to that. You are waiting for the stream. You're in the right spot then because we are here now. How am I doing? I am doing great. I'm happy to be here on a Wednesday. I love streaming and hanging out with everyone here. We're going to be doing some router hacking after we chat for a bit here. Uh, I haven't touched the router since the last time, except for if you were following along. Um, last time we were trying to crack that password and I literally just left one running after the stream ended and it cracked in like 5 minutes. So, um, haven't tried it to get in or anything yet, but uh, yeah, it cracked like five minutes. And someone else, I forget who it was. Um, some if you're here, someone else also found it. um uh cracked it or I'm not entirely sure they messaged me on Discord as well. So, super cool that other people were hacking along as well. Uh some good questions. If you got questions, pop them in here. I see people saying hi and what's up. So, hello to everyone. But if you got any questions, I am here to answer them. But this question, do you need to learn pone before you go into IoT hacking? So, I'm guessing by pone you mean like binary exploitation, that kind of stuff. Um, no, definitely not. I mean, that's one of the areas where you do see a lot of binary exploitation these days is in IoT um systems, but there's lots of other vulnerabilities and things that you can find without uh getting into binary exploitation. So, if you are curious, yeah, there's still lots that can be found without that. Um, and if you do want to learn binary exploitation, then I IoT is a good place to start. um it's one of the places where you're going to find it a bit easier because a lot of times they still um are limited in the processing power and things like that. So you won't as frequently come up against uh a lot of the protections that are in place on like modern Linux and Windows like uh canaries and non-executable stack and that kind of stuff. So yeah, good place to start. All right, looks like I got yes, one resume. So definitely uh at least one person that's interested. Hey, good morning to you too then. Yeah, you're uh Aussie in the Philippines. So yeah, on the other side of the world for me at least. Uh you just gained a new subscriber. Cool. Thank you so much. We are getting close to a million subscribers, which is super cool. Uh, and I know there's going to be like some celebration and um probably some giveaways and stuff like that as we near to and get to 1 million subscribers. So, if you're not subscribed, uh, make sure you are so you could, you know, help us get to a million and also potentially uh, win some prizes. you are network support it and you're looking for a job. Maybe that would be a good spot for a resume review, then I think um yeah, Brit's the resident resume review expert and I know she does them sometimes. So, she's the one that asked me if I would mind uh mentioning that. So, yeah, maybe we can do a resume review stream coming up soon and help you out by taking a look at your resume. I'm not really creating paths for these ones cuz I'm just kind of like doing it as I go, but yeah, we can make um a playlist after of them all so people can follow along. Um yeah, maybe we could even chop up so you don't have to watch all the questions first and put them. Um but no, not specifically. If you do want some learning paths for IoT hacking, um on my personal YouTube channel, I am working through that where they're very much more like um you know, step one, do this, step two, do this, like very detailed. So, if you want to check that out, it's just digital Andrew on uh YouTube. Look me up. Uh yeah, I'm probably going to be posting another video to there maybe later today or tomorrow. And yeah, it's using a easy to find router as well right now. Yes, I have seen you around in all of those streams. So, great to see you and thanks for tuning in again. And yeah, also I have some more content on my own YouTube channel as well if you want to. Hey, Zen Carter, good to see you here. Thanks for stopping in. Okay, talk about forensics. Hm. ### [5:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=300s) Segment 2 (05:00 - 10:00) I'm not the best person to talk about forensics. That's the other Andrew Prince. Uh, but I will say there is some really exciting forensics content coming to TCM in the very near future. Uh, there's going to be a course and it's going to be sweet. I'm definitely going to take it. I'm looking forward to it. And also, uh, if you want forensics content, go on our YouTube channel. Prince just put out a 45minute video that is really good. Like really, really stepped up his production quality. some cool shorts from it. Goes into the history of forensics and digital forensics. So yeah, go and uh go and check that out for sure. It is uh worth watching. So if you want forensics content, I'm not going to do it any justice compared to what Prince can. So or alternatively in two weeks. So next week we'll have office hours the week after Prince will be back. How do you go deep into network hacking? Hm. If you have not taken the whole PH all the way from start to finish, I would go there because that is your zero to her network hacking course and network pen testing. Are there any good applications for a man-in-the-middle attack? So for IoT, which I am more familiar with, I like the tool called uh man-in-the-middle router. MITM router. It is uh like a bash utility created by Matt Brown for setting that up. So if you just search for that or find his GitHub um then that is what I use. So I would suggest checking that out. Lots of really good questions today. Which has more future red teaming or blue teaming? Which side do you find more interesting? Well, that's a great question. Um I think so f future-wise I think they both are have the same future outlook because there's I mean you need both of them. You can't really have one without the other very well. I mean I guess you could just have blue team. Um so yeah personally that's a tough question. I honestly find them both very interesting. I kind of sometimes myself personally don't even fully see the line between them because really the more you understand of like the attacks more you can defend and the more you understand the defense more you can attack. So it's tough for me to say which one I find more interesting kind of just generally more what I'm doing at the time. Um but one point I will call out that you know we get this question a lot and people asking about is I won't sugarcoat it. There's definitely a lot more blue team jobs and it is easier to land a blue team job. Uh when you're getting into cyber security or IT, even that is hard right now. Like I'm not going to sugar coat it. The job market in at least North America is not the best it's been right now. I mean two years ago it was completely different, but right now it's not. Um so like all jobs are tough to land right now in tech. Uh but yeah, red team is definitely harder than blue team. So, if that's what you're asking about, then um yeah, blue team is a little bit easier. Okay. Another good question from you. What's the fastest growing field in cyber security right now? AI related security specifically right now is definitely the fastest growing field. I don't know if it'll stick around. I think it will. But um yeah, like all aspects of AI security. So whether that's like you know using AI, but the one I see more is like securing um AI and hacking AI like it's opening up a lot of new uh very interesting attack surfaces that need to be pentested and secured. So a lot of research there and yeah, definitely something that there's going to be a lot of in the near future. Okay. Can I ask why there are as much network specific hacking tutorials as much as other ones? I'm not entirely sure what you mean, but I think you're asking why there's so many network ones tutorials. Um, the reason is like for uh ethical hacking for the a for a long time. Um that was like the bread and butter of what got you paid. Um and yeah what people wanted for pentest were network pentest. So you come in um pentest their organization like um now it's moving like you know remote work and on-prem off-rem cloud but um for a long time that was like the bread and butter. Have you come in and test like their on-prem uh network? You know what would happen if someone got into the Wi-Fi? what if someone got through and got into um an internal host and you know what can they do with their network what you know how can they deploy malware all that kind of stuff so I think that's why you see so many of those because yeah that's as far as like ethical ### [10:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=600s) Segment 3 (10:00 - 15:00) hacking and pen testing that was what there was so much of um and nowadays I think there's more web app than anything and because everyone has a web app but yeah that's why I think Okay, this might be a question for the other Andrew, but what are your thoughts on platforms like Discord forcing you to upload an ID? What are the potential risks with that? Yeah, I saw that there was so much chat about that. I mean, personally, I definitely won't be uploading um an ID to Discord. I'm hoping that I'm just going to keep using it and from for what I use it for um nothing will change and that I'm in like the teenager mode because I don't know. I just go on like I actually two Discord channel uh Discord servers which is the TCM one and Matt Brown's IoT hacking one pretty much. And then I also use it sometimes to game with my friends like just to talk to them. So for me I hope it won't impact it. Um what's the biggest risk is that Discord has already had breaches. They ba baited this somewhere else I think and they had a breach. So like it's most I think that's the biggest one is just like identity theft. Um yeah, if they get breached, what you know, now they have like your whole a picture of your ID address and driver's license number and everything um right for the picking for um cyber crime and whatnot. So, you're 56 and a veteran. Is it too late to start to learn IT security with a 4-year plan to study to be qualified by your 60th birthday? It's never too late. I don't think that it's ever too late um to get started or to learn. I know there are a lot of people that are veterans that have successfully transitioned into security. Um, TCM is a veteran uh was a veteranowned uh company before Heath moved on. And you know, we've had a lot of veterans work here or still work here. And um just like a lot of people I know in the cyber security community are coming from um you know, not even specifically cyber roles in the military, but there's just like a lot of transition and skills of like how do you understand risk and things like that can make um that transition very well. and those people have a good perspective on it like how to secure things. Just like that the mindset, not even the technical aptitude. I don't know what you did um in the military. But yeah, I would not say uh it's ever too late. And um yeah, I mean four-year plan is probably good for that. I you might I mean depending on how you're going to study or where you want to get in. I mean you might be able to um get up to speed and land a help desk job faster than that and move from there. But yeah, I don't think it's ever too late. If that's what you really want to do, um, and that's what makes you excited, then you should pursue it. That's the one piece of advice I always give is if there's something you're really excited about and you're passionate about, it's going to make a big difference and I think you should pursue that. Okay, got lots of questions here. Hope I'm reversing Marai malware that target IoT device. That would be cool. I would like to reverse or play around with Marai. So maybe that that's a good uh stream thing. Okay. What's going on here in the chat? Britt is the best. I agree. She's having an episode. I have no idea. Wait, what's going on here? I don't know what's going on. I don't know what I missed. Yes. Uh, collaborations planned with Matt Brown. Uh, yeah. Nothing specifically planned, but I chat with Matt every once in a while. Would you guys like to have him back on the TCM stream? We did have him once and it was pretty cool. We just did Q&A, but like he would probably do um some live hacking. So, as far as like with TCM, yeah, uh I'll let him know that people are asking and I'm sure he would come on another stream with us. It's been a while since we had him on last. And then, uh personally, yeah, I'm going to be doing some courses um like with him or on his platform throughout this year. So that'll be like separate from TCM, but just something that I'm personally ### [15:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=900s) Segment 4 (15:00 - 20:00) doing in my spare time. So yeah, um lots of stuff going on with uh with a m with Matt Brown. Okay, see the question. What if we use a DTH antenna with microcontroller and nrf24 for IoT pentesting device? Yeah, sure. I mean, you can use NRF for your wireless stuff. Personally, whenever I'm usually have an IoT device in my lab, I find it much better to hook it up to a Linux device and uh go from there. Um there's just so much more utilities and stuff, but uh yeah, if you needed something for the field, I guess you could put something together like that. How difficult is it to transition from mathematics degree to cyber security? Is there any real overlap between the two fields? You're particularly interested in ethical hacking. Um, there is some. The one area where there's going to be some or there's a couple I can think of a thought in my mind. Uh, number one is like AI. A lot of mathematics there. So, if you wanted to get like deeper into the research side of like novel AI attacks, things like that, definitely some mathematics and statistics there. um especially for pulling off like the way more complex attacks that are like outside of my understanding um of like being able to extract uh models and training sets and data and stuff like that and be able to like recreate like Google's being Google's pissed off because people are doing that with Gemini right now. Um anyway, that's a whole another topic. So that's one and then like you know cryp cryptography and code breaking and those kinds of things uh very heavily mathematics as well. So definitely some overlap there. Okay. What is the future of firmware hacking is increased? Yes, 100% increased. What's the future of it? I think there's going to be a lot of it um in the near future. There's a few reasons uh for that one. And I could be a little bit biased because it's what I like, but um some things on my mind of why I think IoT hacking and firmware hacking are going to become um more popular in the near future is uh number one, the uh like EU cyber resilience act is going to push manufacturers to take IoT security um a lot more serious than they have because it's kind of been the wild west of like putting out insecure IoT devices and like if you want security, you just pay for it and if you want the cheapest device, you don't really get much security. Um, and now the manufacturers can't do that in the EU at least. And there's this thing called um like the California effect if you're in the states where like whatever state has like the most strict regulations then a lot of um uh companies they'll just they'll make their product so that it meets those regulations because they don't want to have like a California version then not California version. So unless they're like too too stringent, they won't um yeah, they'll just make their product go with any of those. And I think you'll see that a lot in the EU where they just yeah, their product they're going to do pen tests and stuff on it. Um and even still, it's just going to open up a lot of uh opportunities for because that resiliency act is going to require pentests and things like that. So definitely going to be that. So that's number one. Uh number two is uh AI devices. They need edge devices. So if you want to use AI to like impact something in the real world or get real world data, right? Instead of just like sitting at chat GBT and talking to it, you need an edge device that's going to do, you know, whatever. Cameras that are going to, you know, grab the images or videos and send those to AI and analyze them. A lot of that stuff is very popular right now. So, it's going to create even more devices that need to be tested. And then I think the fact that they're interacting more with the real world and like having the ability to do things, um, then people are going to start being more interested in attacking them. Uh, probably also because they're like not liking the surveillance aspect, things like that, and they're just going to need to be secured. Um, like I can't talk too much about this because it's something that's going on at TCM right now, but I was pulled in to help out with some um scoping for a device that wants that needs a pentest and it was um a camera that has AI capabilities like the front facing hardware doesn't have any AI and it connects back to a cloud server. But um yeah, they were looking for pentest on that device and ### [20:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=1200s) Segment 5 (20:00 - 25:00) it's a new device because of AI capabilities and so there's just going to be lots of that. So great question. Um oh and one other thing too. There was another thing I was thinking of that um I think drone hacking and drone security is going to be huge um in the near future as well. And it's kind of like for a not great reason, but um like if you look at Ukraine and like the future of um what modern warfare is right like right now, it's going to be heavily um dronebased. So there's going to be a lot of opportunities there. Um like I know someone that is just a drone hacker. And it's interesting because with a drone like you don't want um it to get shot down and then be captured by the enemy and then they take it apart. They have the hardware trying to access the firmware. Um you're going to want to secure that before it goes out into operations, right? So you're not losing any of you know your uh intellectual property assets and things like that. Um so yeah, there's going to be a lot in the drone space as well. Okay, I'm going to take a couple more questions and then at half past we'll start with the um router hacking and see where we can go and oh good question here. Are we hiring? Uh yeah, right now the parent company of TCM, Educate uh 360, yes, there are some job openings. Uh I think Brit just posted them in chat. So yeah, if you if folks are interested, um yeah, check out the um openings that we have because there's a few like red team positions, I think, pentesters. Um yeah, so definitely check that out. Okay. And did I miss anything that's really good that I just got to answer? That's a good one. Can I be your mentor to learn ethical hacking? I mean on YouTube for sure if you uh check through our videos we do have lot of that. Um if you want to come into discord channel and chat I am there lots of other people there to help out. So yeah I would suggest that as well. Um, okay. Last thing before we get into hacking here that I wanted to chat about is um if you are interested in um bundles, the bundles we have, which are like a really good deal, they are they were just kind of like left up after I don't know if we forgot to take them down or what happened, but um after the last sale, the bundles stayed up and they're like a really good deal. So, those aren't going away at the end of February. Maybe they'll come back for a sale like Black Friday or something again in a year or so, but um for the time being they are going away. Um and it's the best value you can get and the biggest savings you can get um is if you purchase those. So there's a few of them. So yeah. Oh, I want to answer this question and then because we're almost at halfass, but I want what's coming regarding AI hacking. Yeah, that's all I'm working on probably for the rest of the year here at TCM. Um, right now I'm working on I guess you call it like a appsac course, yellow teaming. I don't know what you would want to call it, but it's like um securing AI applications and it goes handinhand with the AI hacking 101 course and also the AI hacking 2011 and what I guess is going to be called the PAP, the POP. Um, because even if you want to do offensive security and AI hacking, you have to like understand the other side, right? when you're writing up your report and recommendations, you're saying, "Yeah, yeah, you're you're um vulnerable to, you know, whatever prompt injection, um rag poisoning, you name it. " Uh usually you'll come in with a recommendation, too, like, oh, you know, you need to do these things to fix it or turn this off or, you know, set up this. Um so, in the AI hacking 101 course, we did not really go over remediations as much. So that's what this follow on course is going to be is like yeah you know vulnerable prompt injection what are the things that you can do you know what should we be doing how do we sanitize the input how do we use classifiers um those kinds of things so that's what I'm working on right now after that it will be AI hacking 2011 mostly which is going to be a lot more focus on agentic um workflows and like MCP hacking and that kind of stuff because that's becoming so popular right now and it's you know it's not just the chat bots and talking to things. It's like all these big agentic workflows with like multi- aents and how we can how you can get into like um abusing those and their outputs. Then after that it'll be the pop practical AI ### [25:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=1500s) Segment 6 (25:00 - 30:00) pentest professional like the PNPT of AI hacking and then I don't know I haven't looked that far out. So, uh, yeah, that's what's going on with TCM and AI. And then like in my live streams and like some YouTube content, I'll be doing IoT stuff. But, um, yeah, that's what I got going on. So, thank you for asking, Hamza. Okay, I'll keep looking at the chat, but I am going to go and do some IoT hacking because that's what we're here for. So, let's hop over to that now. OBS Cool. All right. Okay. So, last time we were trying to uh crack that word list. So, we're going to do that again and I'll just show you what I cracked it with because yeah, or not crack that word list. So, if anyone's new here, what do we do? last few streams we um took off the chip from the firmware, got the um firmware out, extracted it. We've looked through the firmware pretty extensively. We're trying to get into a shell in the UART um which we identified. And to do that, we found a um we found a password hash, the root password hash. And we were trying to crack that last stream and we couldn't but um I just was able to. So show you what um I got it with. So this is the top what is this million top one two three top 10 million uh passwords from uh seclists I got this from. So, if you're not familiar with that, GitHub, it's called SEC lists, and it just has a whole bunch of word lists, and I was just trying a bunch of these. Um, and then I'm putting this best 66 rule. So, it actually I tried top 10 or top yeah, this top 10 million. It didn't work just on its own. So, I like this rule. If you're not familiar with these rules, they just add like a bunch of permutations and stuff onto this. So, it's going to be way more than 10 million because it like, you know, does all those things where it puts the capital at the end and numbers lead speak and all that kind of stuff. Um, so yeah. And then I'm disabling the pop file right now because I want to show you how what you know the you guys can get the um the whole thing. It'll crack pretty quickly this one. So, I got a pretty powerful GPU on this computer. That's why I'm running this on my Windows one right now. I got this I I've chatted about this on stream a few times, but I got the um Evo uh X2. It is by GMK Techch. It's like a mini PC, but it has the new um AMD AIAX 395 plus in it, which is like uh integrated GPU, CPU, RAM all together. Uh, and yeah, it's a beast for like AI stuff and cracking, but the AMD drivers are not as good on Linux. So, was having some issues with Hashcat and some stuff on Linux, which kind of sucks. So, anyway, it's why we're on Windows today. Cracked this guy pretty quickly. So, we got fired up, which I'm now realizing though. I think someone was like suggesting to try this and we tried it and it didn't work before. But um anyway, I got a um shell to the router. I popped this up before. Let's see. So, it says uh root password for system maintenance. So, it's f i r e i t u p. So, it's capital. Let's see. No. So there is this trying to just control D here for normal startup but it's not. So okay interesting. Okay. I'm going to try and restart it and we'll see if we can get in control D. Maybe normal startup. Let me see. I want to stop auto boot cuz we already did that. Just mashing this right now. ### [30:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=1800s) Segment 7 (30:00 - 35:00) Let's go. Normal startup. Got it. I think. I saw it scroll by. No. Okay. Maybe. Yeah. Okay. So, we're not in. So, we're probably going to need to do a little bit more poking around then. But this is like a interesting clue here. Two of these. We got to figure out what's putting that out. Is it from a script or is it from um is it from a binary or something? Because that's probably what is uh checking. So, let us get back over to our handy dandy visual code here. Okay. So, now we're take a look at the squash FS and uh let's see here. Ah, okay. We got a few people asking what the heck I'm doing. So, um I got a router here. We opened it up um the last few streams. If you go back and look, open it up. We took the chip off the device, got the firmware out, extracted the firmware, we started reverse engineering it. Right now, I want to get a UART shell into it. So, that's I have the UART connection here, uh, through putty. That's this, but I don't know what the password is. And so, we found a hash for the root password of the device um, and we cracked it. However, this is seems to be some sort of custom um binary or something like that where that's doing this login. Um it's outputting this like give root password for system maintenance. So, the one thing I see is like that wording to me is uh does not seem like it's from a regular thing like give root password. Um, I don't think that's how like it would be. Yeah. Like the like Yeah. So, I think there might be something custom going on here. Um, so I'm just looking to see what binaries are uh here. And we're going to see if we can figure out that. So, I want to add that to the notes. Need to add this to our notes here. Um pass w contents. Okay. So we can add yeah here. Okay. So we're going to add So this one is this. Let me make sure this is the right hash here. Copy that over that paste in properly. I don't want that. Want to grab that whole terminal output. Uh yeah, we can try the other one too. I don't know if it's a full hash though. Let me uh here. Yeah, we could try this one, too. Might as well. Why not? It doesn't have a shell. It ### [35:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=2100s) Segment 8 (35:00 - 40:00) doesn't like have anything. So it leads me to believe like this is what the shell is in user. So but yeah, we could try it as well. So why the heck not? Let's copy this here. Might as well. Okay. Where did I have it saved here? It is in hash. txt. here. Not add hash 2. xt. Okay. Okay, let's see if it's in this one now. Okay, well, we'll leave that running. Miss, good call. Same one, same hash as well, just different salt. Cracked it. So unfort same one fired up. So they're both the same. So now we know though definitely a good thing to check. Now we know. Copy this. What the heck? Oh, still getting used to my new keyboard here, which I just got, which is uh split ortho keyboard. It's taking me a long time to get used to it, but uh my wrists were bothering me so much and it's been helpful. Okay, so yeah, neither of these are the right ones. So, um yeah, what now? Let's I want to go back to here. Here I want I need the exact wording for this which is give root password for system maintenance. Okay. So we're do a strings of interest here and it is capital give root password for system maintenance. Okay. And then I mean it this could be so and then it's or type space. Yeah. Or type control dash D for normal startup. This is a good question. You just ordered your stuff, getting ready to find you for CV. Uh, what devices would you recommend? Uh, smart camera, cheap smart cameras, cheap routers are um probably your best bet in my opinion. Okay. So, what I want to do now is we're going to go I want to go into here squash dash root. Yeah, let's try in bin first. So, we're going to go ### [40:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=2400s) Segment 9 (40:00 - 45:00) dash and actually yeah strings. So what do we want to do here? I'm trying to think of what I want to do to show you guys, which I kind of want to show you a new tool that I've been working on actually. So, let's see if we can get that working. And um if we can't, then I'll go back to this manual. But um yeah, I'm going to launch up this new tool I've been working on here. Okay. So, yeah, I was debating whether I was gonna show you guys this on stream today, but I've been working on this really cool tool. It's still like in development, kind of like alpha, I would guess, but um it is a uh it's called wares like for firmwares and it is a uh AI assisted reverse engineering tool for uh firmware. So you can upload a project and then like get AI assistance with reverse engineering and stuff. It uses like uh kind of like MCP so that the AI has access to call tools and things like that. So it can do fully autonomous or like you'll get better results with like the human in the middle and kind of guiding it. So yeah, I don't know. I kind of want to show you guys. So I I'm actively working on it though. So, we'll see uh if it's we can get it working with this MIPS um firmware or not. So, let's uh add a new project here, which I think is right under my face, which is why I can't see it. And then I got to download this firmware here. Let's just grab this firmware. Download this. Sure. Tendo router from TCM live stream. Oops. This not downward. Okay, I guess it didn't download yet. Oh, yeah. I can't I need to download it. It doesn't like doing this. It's here. It is here. Why can't this guy see it though? Oh, put it in the wrong I was looking in the wrong spot. Okay, let's see. so let's see. Does it was able to extract it? Some stuff only the bin. Everything is in the root though. So yeah, some things did not work. It got bit it got the bin file extraction. Okay, let's see if we do the component map here. Okay, interesting. So with the So looks like it only I don't know. Okay, so this So the way that it works is it comes in and it tries to extract that automatically. So it looks like all this one got is the bin folder. I don't know why. I'm going to have to go and figure out look at the logs and stuff to see or it just has everything under Yeah, all this is I think the bin folder. So yeah, some issues there, but um yeah, it should be directories here. I'll show you another one. So like here is some of my testing firmware that like I've written. So like this one, if we go file explorer, like you can see this one pulled it out properly or we got like the bin dev folder like it puts it all in the folders. ### [45:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=2700s) Segment 10 (45:00 - 50:00) Um and then you can do a component map which is cool. So like I already generated this but like this shows the links between like all the binaries and the libraries and scripts and config files and things like that. So let's zoom out here somewhere where you can see more. So like you can see um like this WPA passphrase uses these and which is kind of cool. Um you can generate an SBOM automatically which is nice. So you can just see like what components are there, what it has. Um but like yeah, a lot of other software can do this. So the really cool thing about this is going to be two things. So one I'm doing um firm firmware emulation. So you can like automatically do emulation right in this. So if you want to test something quickly and I'm in developing also automated fuzzing as well. So like all uh it can do fuzz testing as well and all these tools are like hooked into the AI. So um for example like if you want to do system mode um emulation like you need a kernel. So if you don't know what kernel to use, you can get the AI's help uh about it. And you can also ask them about the file. So I kind of we'll just do that for this one here anyway. Okay. So, if we go file explorer um and then let me just quickly move my face here. We can chat um with the with AI about the files and it can do a bunch of the reverse engineering for us. Um so, let me just move my face though to I don't know here. So, let's use Opus 4. Uh, and we're gonna say from here. Just want to copy my notes here. Notes. And I'm trying to find the password for the UART shell. It's not the one from the pass WD or shadow file. I think it's using a custom binary as I see this message in UART when taking log in. Oops. New check files tools. Okay. Can't use opus right now. Let's try sonnet. Fun times. So, you can see it has all these tools that has access to. I was going to try and use Opus, but I don't know why Opus is not working right now. It's more powerful of the anthropic ones, but Sonnet's fine. Um, so you can see I programmed in like all these tools. So like it can look at the directory, see all the files in the directory. It's looking for hard-coded credentials. Now it can read the file. So see it's using strings now um to search related strings, which is pretty cool. So like it can do all this stuff. It's doing it all like in the back end without um yeah needing to like go and manually do this which is cool because um it makes this more accessible and also you can really automate that. So, it's finding things um already, which is interesting. But um I'll show some more of this before we finish because this is just kind of like the start of what it can do because this stuff is just like pretty straightforward bash commands that it's doing um in the back end to like search and extract out strings and things like that. Um ### [50:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=3000s) Segment 11 (50:00 - 55:00) but it can also do reverse engineering and some cool stuff with the reverse engineering which we're going to take a look at um as well. So, I'm going to answer some questions uh right now because we're just we got the robots doing the work for us right now. And uh yes, this project, yeah, I'm I am actively developing it. It's just me. I'm work well, it's me and Claude Code, which I've been using a bunch. Um but I have a background in software development somewhat, but um yeah, I've been using cloud code a lot and uh yeah, makes things a lot faster. So yeah, I'm actively developing this. It's not even out yet really. Like um sorry, it's not at all, but I hope to be releasing it like it's going to be fully open source project everything. Um, yeah. So, this is going to be with options for fully autonomous stuff, too, which is really cool because I think it's going to help make firmware a lot more secure because you can just you can let the AI do a lot of it. Um, which like yeah, it's not super hard stuff to do, but like you can just then pump in, look at the findings. Um, so you can see like it's reverse engineering right now. Like I also gave it the capability to use Radar 2 and Gedra in the back end. So it can decompile. It's decompiling and it can look at the assembly and it can also like put it back into um C as well. So yeah, it's a pretty cool tool. Um, I don't know if you're asking about the um bundles, but yeah, end of month for bundles is when they go away. So, you got about what 10 days. It's a short month. So, um, that's pretty neat. Thank you. It's still like it's still very much an alpha stage right now, but I wanted something not necess like I it started out with I wanted something to just like be able to pass in stuff to AI faster. So, I wanted to have the tools, but now I'm realizing that there's a lot of um automation that can be assisted by uh AI and also the new anthropic models are just so good. Um this in the comments it this is getting complex I agree. I need to figure out why Opus is not working right now. Anyway, Opus is like real SA is a cheaper one. So, the only thing is like, yeah, so for this to work properly, you need to put in an anthropic API code, but um it doesn't use like a crazy amount of tokens. Like I put $5 in and I've been testing it for like a couple weeks now and like I use like three or four dollars worth. So, like it's not super expensive unless you do a lot with Opus. Um, which Opus is the one that's more expensive. question. Do you need assembly for malware development for payloads? Yeah, probably to be honest. Um, if you want to be able to realistically write stuff that's going to work properly and troubleshoot and um, yeah, yes, I think you do. Uh, we have an excellent assembly course on TCM Security Academy uh, that I authored called Assembly 101. Um, and I built it specifically for this reason because it's always just like exploit development, reverse engineering. It's just like, oh yeah, you understand assembly. But no, that's a tough topic. Um, so yeah, I wanted to make something very approachable. So if you're interested, uh, check that out. I did that course as like a personal interest of like asking Heath if I could do it and he said yes because he realized that I was excited and passionate about it. Uh, and yeah, it was it's probably one of my it's probably my second maybe even my most favorite course I created for TCM is that assembly course. So, uh, yeah, underrated course in my opinion. Check it out if you want to learn assembly. Just checking if I missed anything now in the chat while we let this go. What happens when malicious AI targets, autonomous AI systems like self-driving cars or AI drones? ### [55:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=3300s) Segment 12 (55:00 - 60:00) Yeah, there's going to be a lot of that uh in the future of like AI versus AI systems. And so like this is one of the things that when we had the when I was thinking about the scoping for this one camera that we have been asked to do some pen testing on potentially and what's in scope and we're going to have to ask I didn't get um I didn't get details about this but like is the um like AI in the back end in scope like do we need to test things about if it's possible for certain gestures or you know um putting like painting your face a little bit or something like that. Will that because this use facial recognition and things like that you know can we bypass that? Is there adversarial they call it like adversarial AI uh prompts or adversarial prompts that we can use? You know is there prompt injection? Are there tools that run in the background? we pass like that stuff into the um into the AI and uh yeah like we're doing right now like we're not attacking AI with AI right now. We're using AI for um security research but like there's no reason you can't pin AI against AI. Um and it's already happening and people are doing it. So yeah, uh great question. So this thing's chugging along. Um I'm inclined to see where it goes. I mean, yeah, this is still under uh alpha, but uh yeah, we'll see if it finds anything. It seems to think so. There's this promising string. Is this found in CNSL safe? We might as well just try it. Is that crazy? Um, the other thing too is like it doesn't have all of the files because the it I don't think it properly extracted it because I don't see any of the directories or anything. So, I need to like that's the one thing I need to do on this is like it works great with my test um firmwares, but I need to like put like a whole bunch of different types of firmware and like different architectures and different file systems and things like that. That's like why it's kind of still in alpha. Okay. 1 W 61 M 2 PC_955. No, it's not that one. Okay. It's a long shot. Wonder maybe it's for something else. Who knows? Okay. Where can you find the assembly language course and is it paid? It is on the TCM security academy. It is um yes it is paid. That one is on like our full academy. So um yeah, it's $30 a month to get access to that. You can definitely take that whole course in a month. It's not super long. I think it's like 13 hours. So yeah, that's yeah, brick and link it. So Oh, Alex is here. Hey, Alex. We Okay, we're I'm showcasing this is an alpha. I decided to show people what I'm working on. It's chugging. It's chugging along here. Um, this is a new tool, open source tool I'm working on. It's called wares. It is uh AI assisted firmware analysis, reverse engineering, uh, hacking. It's so right now we have this tender router that we've been hacking and we're trying to get the root password for it and we're giving my AI tool a crack at it. Uh it has access to like a lot of tools itself kind of like MCP. So you can see here it's using a bunch of tools like list imports add finding search strings clean up decompiled code which is pretty cool. So it's doing all this stuff in the background right now. Let's see. So it says it thinks it's this, but it's not. So it this binary appears to handle console safe ### [1:00:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=3600s) Segment 13 (60:00 - 65:00) twostep. did not work for me though. Interesting. Is it connected to a llama? Uh no. Uh this one is uh No. This is anthropic. So I'm using the big guns except Opus isn't working right now, which I would like to give Opus a shot for this, but I don't know why. Um I was getting API errors, but Sonnet is no problem. So yeah, I got you can see I got um Haiku Sonnet and Opus, but Opus I don't know what's up with Opus right now. Uh API was giving me errors, but um it's not too expensive. I probably spent like less than $5. I've been doing a lot of testing on this. So without like So one of the cool things though is Okay, so it's talking about this binary here. So I want to show this as well to everyone. The CNSL_Safe is this one. So let's collapse this. Okay. So this is one of the cool things that you can do here is you get these details like um al binary like yeah nothing huge. Uh it tells you like what um security there is here. So like there's nothing on this one which is interesting. like so it's got no PIIE canary non-executable stack all that stuff is off like when people were asking about um uh binary exploitation of IoT devices so then if you come in here though you can see all these functions so we got like the entry point and we can see um where it's talking about so in this so if we look at like these functions here for example like these are all C1s But um if we want to look at like entry for example, we can actually see the dis disassembly here. So here we can see the assembly. So if you're familiar with NIPS assembly, we can look through uh the raw disassembly. But the really powerful thing is we can decompile this. So it does take a little bit because so now it's going into the gedra um in the back end. And let's see this one. This one's maybe not here. Let's see if we can find a function that is here. See if we can get this one working. So now we get this gedra here which um really like to me doesn't show a lot. Um, so what we can do is we can ask the AI to clean it up, which is nice. And then it can go in and see what's going on and add comments. So execute system command operations throughout function pointer calls. Appears to be a wrapper function that calls imported system calls. Command functionality call imported function through global offset table. So, this would take me a long time to read through and figure out what the heck these like double pointers and things like that are doing. Um, however, with the this AI cleanup, it makes this reverse engineering so much easier. So, um, and then you can also, so now we can add, um, we can like add this here and ask about the firmware as well. So we could say like can you check over the do system cmd function in this binary and see if there are any security implications. s specifically I'm interested in the imported function in the global offset table. So now we can send it to do its thing. Um, and yeah, this is what I this is one of the things I really just created this for is like the autonomous AI stuff is cool, but like when I'm reverse engineering, I was like copying and pasting stuff into um Claude or Chat ### [1:05:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=3900s) Segment 14 (65:00 - 70:00) GPT or stuff and like it's so much easier just to have it all in one place. And then I was like, why don't I just put in a assistant and get a bunch of agents and let it go with that. So yeah, uh some people hit 50day streaks recently, which is cool to see. Yeah. Oh man, we're going over we're going over the uh I'm using it too much here. Okay. Uh, let's chat about Bug Forge quickly. I've been using this a bunch today. Okay, we got to slow it down. Um, first off, yeah, I want to talk about Bug Forge because uh, Alex Olsson is here. If you haven't checked out his new um, platform, super cool um, for learning about web app security. But Alex, I haven't been chatting. I was going to do an IoT challenge. We still need to get on that, Alex. I want to do um an IoT one. And yeah, if you have not, I believe it's bugforge. io. So definitely go and check that out. If I use open router, I can avoid the right limits. Yeah, maybe I should. I've been using it. It's because I did let it do the whole huge assessment on its own. So we'll come back to this later, but um yeah, here's Bug Forge. So go and check that out. Then to answer this question, you see this is hosted locally. No, DLM in the background right now is using um claude API like the it's like public API but um you need to pay for it. So um yeah, you it's honestly I've spent like $5 probably so far, maybe less. Um and I've been doing this for a couple weeks. We just hit the rate limits because it did so many tool calls. If you look back through here to find this binary and go through like all these tool calls, they take a lot of tokens like searching files, listing directories, all that kind of stuff. Um, in my de development plan, I am planning on um doing a launch script where it lets you choose between if you want to use the anthropic public API like that, if you want to do um an uh like a lama or VLM, bring your own LLM or also chat GPT like Open AI. So all those in the background. Um right now I'm just using cloud. Honestly, Opus is so powerful that yeah, I want to always I want to just start with that especially for reverse engineering. But um yeah, going to try that as well. Um yeah, so uh anyway, sorry we didn't find the password yet, but I don't know. I'm probably going to let my AI run through it a little bit slower, too, and I'll show you guys um if we find it. But yeah, this tool also, if you're interested in it, I'm going to release it like fully open source um out to the public, everything in probably the next couple of weeks, maybe even this week. I don't know. Still needs some refinement. I'm working on it in my spare time. Um, but yeah, let's uh let's hop back. I'll look through the chat quickly. We're already over time here. So, let's see what's going on in the chat. Yeah, I think so. I mean, you got Yeah, you got to do the stuff. Um, I love reading books. I know not everyone learns from books, but um I'm a book learner. I like um I like reading books. I got one right here. This is the one. Alex is going to appreciate this one. This book by Tanya Jona Jen. I don't know how she pronounces her name. She goes by She Hacks Purple. Uh Allison Bob learn application security. It is a very good book. I'm about halfway through it. Personally, yes, I like reading books, but you really need to go and do the stuff um in the books, like especially if there's commands and things like that. Um yeah, you should read those. I got a couple other cool books I want to show that I just picked up. Some other books I am reading right now that are super cool. Got the bookmark in it. This one from day zero to zero day. Um yeah, I'm really enjoying this book as well. Uh I'm like addicted to No Star Press. I have so many of their books. And then this one. ### [1:10:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=4200s) Segment 15 (70:00 - 75:00) Love the cover of this. literally just a leather bound microcontroller exploits by Travis Godspeed. Um, this is one of those books where I'm reading it, but like some of the stuff is like just so like o even over my head. Um, like pick ultraviolets unlock like in a pick microcontroller. So like yeah, this is over my head even some of this stuff. But um fun fun book to read through. Okay. Is it possible to use a debugger to extract passwords or other sensitive data if they are stored in plain text within the IoT devices memory of firmware? Yeah, absolutely. Sometime so I think what you're saying is like uh sorry yes 100%. Um if you there that is like a common attack vector for um hardwarebased things that you're trying to get into like for example um crypto wallets. So if you want to see about some attacks that um uh go after this Joe Grand has some very interesting videos on YouTube does like super high production quality. They're not as technical though. Like he does go in to some of the technical stuff behind it, but not like full enough that you could follow it without a lot of your own research. But yes, this happens. So like it needs to be somewhere somehow in the memory, right, for it to get that uh decrypt it, check it against what you put in and then make sure. So you can go in and read the memory through like JTAG or things like that. Um, and there's protections in place that do against that, especially for things like hardware wallets. But if you get into like more advanced attacks like glitching, um, you can potentially glitch past being able to those protections that stop you from reading the memory with like J-tag or something like that. Uh, and then it's possible sometimes to be able to view the contents of that. And other times it's not secured. Like there's one where he gets into a phone um and through JTAG. Yeah, he's able to just access the memory and find um the pin for the phone, the Samsung phone through that. So, yes, 100%. They need to do one. I would sign up for that. I I'm gonna I have the guy um Bill I think is his name on LinkedIn. I was chat chatted with him a few times. I'm gonna tell him that they need to do that. Um, yeah, 100%. We need to have uh we need that. Yeah, because I see them they are on Humble Bundle sometimes, but I need the this I need the book. I like to open it up or I take it into bed with me before bed and I read it until I fall asleep and I like to write in the I need the book. I tried e-reader wasn't my thing. Um, yeah. Okay, couple more questions about books. Pentest book and firmware now. Okay, I'll bring over some more books from my personal library here. Okay, I got some goodies here. So, firmware analysis. There's a couple good ones. This book is really good. Uh, practical IoT hacking. You can see what was I reading here about analyzing network protocols last. Got the old school TCM hate less hack more sticker here. Oh, nice to see you, Alex. I hope you enjoy tacos. Um, this is a great book. Goes into firmware analysis, IoT hacking, everything you could want. Really good book. Recommend this for firmware stuff. Also a really other cool book. You can see mine's literally falling apart. I'm reading this one a bunch. um fuzzing against the machine. So this goes into like how to do fuzzing um against IoT devices with emulation on Q emu. So this has been a good resource for me too and I'm developing this AI tool that trying to automate that. Um and then also so if you're interested in uh IoT devices this book right here is thick boy. I've read this thing front to cover maybe ### [1:15:00](https://www.youtube.com/watch?v=K8VA23kmUJg&t=4500s) Segment 16 (75:00 - 78:00) two three times. You can see it's all like distance getting dogeared and stuff. And then I like this so much I literally I went and bought the next edition of it when it came out. So I haven't really actually had a chance to read too much through the changes in this one yet. Um, but yeah, if you want to learn how to hack like anything, like for me it's embedded Linux and embedded systems because I like IoT, but if you just get these like whatever it is you want to hack, learn about what the developers are doing, like what are the not hackers doing like all because this goes into like the boot processes and bootloadaders and like you know all those details. is not specifically about hacking. But if you understand um how a system works very well, that's like 90% of hacking anyway. It's just like really understanding how the system works, what are the developers doing, what shortcuts are they taking. Um really understanding that well is what makes people in my opinion like good hackers. Like the best people, web app, web app people in my opinion are like developers that understand application security well. uh some of the best network pentesters and people that are doing um like AD pentesters are those that have been CIS admins or at least like understand the ins and outs of how the systems uh are set up. So yeah, that one. Oh, and then someone else was asking about assembly before. This book is very good for learning assembly as well. Introduction to computer organization. This is the book I wish I had in university. Uh because I learned some of this stuff in university and I struggled so hard um in like the old school university style of teaching about yeah how like uh microcontrollers and microprocessors work at a very low level and memory man management and things like that. Um and then I read this book and uh yeah it was really good at breaking that down in a way that I could understand which was nice because a lot of things clicked. So there's my book recommendations. Thank you for humoring me and looking through my library with me. I definitely got some more reading to do, but uh yeah, we're already 20 minutes over here, so I'm going to wrap up now. I do want to say a big thank you for everyone hanging out with me, checking out my AI tool, doing some IoT hacking. Didn't really get through much as much today as I planned cuz I wanted to show that tool because I'm kind of like just been obsessed with that tool recently. That's what I've been doing in all my spare time. Um, so yeah, appreciate you all hanging out. Um, one last thing, go check out those bundles. If uh you haven't, just check them out. See if they're for you. They are a really good deal. That's the only reason I'm calling it out because they're ending on February. Uh, if they're not for you, no worries at all. We also got our free tier. Go and check that out where we got over 100,000 people on it right now. So, yeah. Appreciate you all hanging out. I hope you have a good rest of the day, evening, morning, wherever you are. Uh, and I will see you again in I guess three weeks from now. So, bye for now. --- *Источник: https://ekstraktznaniy.ru/video/23444*