HomePwn - Swiss Army Knife for Pentesting of IoT Devices

HomePwn is a framework that provides features to audit and pentesting devices that company employees can use in their day-to-day work and inside the same working environment. It is designed to find devices in the home or office, take advantage of certain vulnerabilities to read or send data to those devices. With a strong library of modules you can use this tool to load new features and use them in a vast variety of devices.

HomePwn has a modular architecture in which any user can expand the knowledge base about different technologies. Principally it has two different components:

Discovery modules. These modules provide functionalities related to the discovery stage, regardless of the technology to be used. For example, it can be used to conduct WiFi scans via an adapter in monitor mode, perform discovery of BLE devices, Bluetooth Low-Energy, which other devices are nearby and view their connectivity status, etc. Also, It can be used to discover a home or office IoT services using protocols such as SSDP or Simple Service Discovery Protocol and MDNS or Multicast DNS.
Specific modules for the technology to be audited. On the other hand, there are specific modules for audited technology. Today, HomePwn can perform auditing tests on technologies such as WiFi, NFC, or BLE. In other words, there are modules for each of these technologies in which different known vulnerabilities or different techniques are implemented to asses the device's security level implemented and communicated with this kind of technologies.

Built With

Python - Programming language used
Prompt Toolkit - Python command line

Documentation

It's possible to read the documentation in our papers:

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Prerequisites:

You need to have Linux and python 3.6+ running in your computer, please install them in the download page.

Ubuntu, Debian or similar.
Python 3.6+.

Installing all requisites:

To install all dependencies in Ubuntu 18.04 or derivatives use the file install.sh

> sudo apt-get update 
> sudo ./install.sh

The script ask you if you want to create a virtualenv, if your answer is 'y' then it installs python libraries within the virtual environment, if not in the system itself

Usage

To run the script, if you chose a virtual environment in the installation follow execute the next command to activate the virtual environment:

> source homePwn/bin/activate

Launch the application:

> sudo python3 homePwn.py

Examples

Here are some videos to see how the tool works.

HomePwn. Bluetooth Low-Energy PoC & Hacking

HomePwn. Bluetooth Spoofing

HomePwn. NFC Clone

HomePwn. BLE capture on PCAP file (sniffing)

HomePwn. QR Options hack

HomePwn. Apple BLE Discovery

HomePwn. Xiaomi IoT Advertisement

Authors

This project has been developed by the team of 'Ideas Locas' (CDO - Telefónica). To contact the authors:

Pablo Gonzázlez Perez -- @pablogonzalezpe -- [email protected]
Josué Encinar García -- @JosueEncinar -- [email protected]
Lucas Fernández Aragón -- @lucferbux -- [email protected]

See also the list of CONTRIBUTORS.md who participated in this project.

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.

License

This project is licensed under the GNU General Public License - see the LICENSE.md file for details.

Disclaimer!

THE SOFTWARE (for educational purpose only) IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

This software doesn't have a QA Process.

Github page: https://github.com/ElevenPaths/HomePWN

October 28, 2019

Author

Hakin9 TEAM: Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.

Latest Articles

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments

Inline Feedbacks

View all comments

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.