๐Ÿฆธ
PEN TESTING BOOK
  • ๐Ÿ“˜PENETRATION TESTING BOOK
  • โ˜ฎ๏ธPENTESTING PROCESS
    • 1๏ธโƒฃPre-Engagement
    • 2๏ธโƒฃIntelligence Gathering / Reconnaissance
    • 3๏ธโƒฃThreat Modeling
    • 4๏ธโƒฃVulnerability Assessment
    • 5๏ธโƒฃExploitation
    • 6๏ธโƒฃPost-Exploitation
    • 7๏ธโƒฃReporting
  • ๐ŸชŸWindows Privilege Escalation
    • ๐Ÿ› ๏ธWindows Exploit Suggester
    • ๐Ÿ„โ€โ™‚๏ธWindows-Privilege-Escalation
  • ๐ŸงLinux Privilege Escalation
    • ๐Ÿ„โ€โ™€๏ธLInux-Privilege-Escalation
  • ๐ŸงLinux Exploit Development Tools
    • ๐Ÿ”งExploit Development Tools
  • ๐Ÿ•ธ๏ธWeb Application Pentesting
    • ๐Ÿ“ˆgraphql injection
    • ๐Ÿฑcross site scripting
    • ๐Ÿ’‰Command Injection
    • ๐Ÿ—ƒ๏ธfile upload vulnerability
    • ๐Ÿถflask
    • ๐Ÿฆ•idor
    • ๐Ÿ“‚local file inclusion
    • ๐Ÿš›Sensitive Data Exposure Cheat Sheet
    • ๐Ÿดwordpress pentesting
    • โŒxxe attack
    • ๐Ÿ”“Authentication Bypass
    • ๐Ÿ•ธ๏ธWebshells
    • ๐Ÿ‚SSRF
    • ๐Ÿˆโ€โฌ›Git Exposure
    • โœ–๏ธXSS WAF Bypass
    • XPath Injection
  • ๐Ÿ”Reverse Engineering
    • ๐Ÿฒintro to ghidra
  • ๐Ÿฆนโ€โ™‚๏ธNetwork Pentesting 101
    • โ˜ข๏ธRouter Setup
      • Vyatta Router VM Setup Guide
    • ๐Ÿ”ขEnumeration
      • 22, 161, 162 - SSH, SNMP
    • ๐Ÿง™Brute Force Attacks
      • Brute Forcing Cheat sheet
    • ๐Ÿ›‚Post Exploitation
    • Firewall Pentesting
  • ๐Ÿ”…Internet of Things
    • ๐Ÿ“ณEnumerating IoT Devices
    • ๐Ÿ˜ทDissecting Embedded Devices
    • ๐Ÿ‘จโ€๐Ÿ’ปExploiting Embedded Devices
    • ๐ŸŽฎDynamic Analysis with Emulation
    • โ˜ฎ๏ธFirmware Analysis
      • Firmware Analysis
      • Bootloader testing
    • Drone Pentesting
      • Common Attacks
      • Threat Categories
    • Hacking Vending Machines
  • ๐Ÿš”Automotive Pentesting
    • ๐Ÿ”ŒVirtual CAN
      • Dump Traffic
  • ๐Ÿ—ณ๏ธContainer Pentesting
    • ๐Ÿณdocker pentesting
    • ๐Ÿ‹docker container escape
    • ๐Ÿ‹Docker CVE's
    • โ˜ธ๏ธkubernetes pentesting
  • ๐ŸŒ†SMART CITY PENTESTING
    • โ™พ๏ธProtocols
      • LoRa-WAN
  • ๐ŸชฆACTIVE DIRECTORY PENTESTING
    • ๐ŸŒŒActive Directory Post Exploitation
  • โ˜„๏ธCommand and Control
    • ๐ŸŒฉ๏ธC2 In The Cloud
    • ๐Ÿ”C2 HTTP Redictor
    • โ˜ธ๏ธHavoc C2
    • โ›ŽSliver C2
    • ๐Ÿฆ„Mythic C2
  • ๐Ÿฆ‹PENTESTING CISCO DEVICES
    • ๐Ÿ”ฆCisco-Torch : Enumeration
    • ๐Ÿ”“Password Attack (Type 5)
  • RED TEAMING
    • ๐Ÿฆ•Initial Access
      • โš”๏ธWeaponization
    • ๐Ÿ”ฅFrameworks
      • Atomic Red Team
      • MITRE Caldera
Powered by GitBook
On this page
  • Introduction
  • Interactive Map to Detect LoRa Gateways
  • LoRaWAN Applications
  • Architecture
  • Security in LoRaWAN
  • Device Activation
  • Data Required for Session Key Derivation
  • Cyber Security Risks and Threats
  • Compromised keys and Cyber Attacks
  • Cyber Attack Scenarios
  • Auditing Insecure Networks and Detecting Cyber Attacks
  • REFERENCES

Was this helpful?

  1. SMART CITY PENTESTING
  2. Protocols

LoRa-WAN

PreviousProtocolsNextActive Directory Post Exploitation

Last updated 7 months ago

Was this helpful?

Introduction

The long range wide area networking (LoRaWAN) protocol is designed to allow lowpowered devices to communicate with Internet-connected applications over long range (LoRa) wireless connections. It is a MAC layer protocol built on top of LoRa, which is the physical layer (PHY) or the wireless modulation protocol.

As previously mentioned, one of the biggest advantages of LoRaWAN is its long range capability: a single gateway (antenna) can cover an entire city or hundreds of square miles, although it heavily depends on the environment and obstructions in a given location. Furthermore, the LoRaWAN stack does not require a licensed spectrum to transmit messages but rather the opposite, making it a low-cost technology when compared to licensed spectrum solutions.

Interactive Map to Detect LoRa Gateways

LoRaWAN Applications

  • Smart City (i.e. parking, lighting, traffic management, metering, weather monitoring)

  • Industry (i.e. asset tracking, climate control)

  • Security (i.e. panic buttons, gunshot detection, flood monitoring)

  • Smart Home (i.e. alarms systems, home automation)

  • Smart Agriculture

  • Smart Healthcare

Architecture

Security in LoRaWAN

Device Activation

Data Required for Session Key Derivation

AES(AppKey, 0x1 + AppNonce + NetID + DevNonce) = AppSKey
AES(AppKey, 0x2 + AppNonce + NetID + DevNonce) = NwkSKey

Cyber Security Risks and Threats

  • Reverse Engineering Devices

  • Device Tags

  • Hardcoded Keys in Open Source Code

  • Easy-to-guess Keys

  • Network Servers with Default or Weak Credentials

  • Servers with Security Vulnerabilities

  • Compromised Device Manufacturers

  • Device/Infrastructure Deployment Technicians

  • File Disclosure

  • Service Provider Breach

  • Offline Key Cracking

Compromised keys and Cyber Attacks

  • Denial of Service to Devices and Networks

    • Sending Valid Messages

    • Regenerating Session Keys

    • Sending Valid MAC Commands

  • Sending Fake Data

Cyber Attack Scenarios

  • Utilities and Smart Meters

  • Smart Industry

  • Smart Cities

  • Smart Home

Auditing Insecure Networks and Detecting Cyber Attacks

  • Message Replay

  • Fake Messages and Denial of Service (Simultaneous Sessions)

  • ABP Devices

  • Well-known or Non-random Keys

REFERENCES

๐ŸŒ†
โ™พ๏ธ
https://github.com/IOActive/laf
https://act-on.ioactive.com/acton/attachment/34793/f-87b45f5f-f181-44fc-82a8-8e53c501dc4e/1/-/-/-/-/LoRaWAN%20Networks%20Susceptible%20to%20Hacking.pdf
https://www.thethingsnetwork.org/map
The Things NetworkThe Things Network
The Things Network
Figure 3. Session Key Generation in LoRaWAN v1.0.*
https://act-on.ioactive.com/acton/attachment/34793/f-87b45f5f-f181-44fc-82a8-8e53c501dc4e/1/-/-/-/-/LoRaWAN%20Networks%20Susceptible%20to%20Hacking.pdf
Logo