🔐 精选互联设备安全资源

IoT、嵌入式、工业与汽车、核心技术安全知识精选仓库。

     

         

     

## 目录 - [硬件攻击](#hardware-attacks) - [基础](#fundamentals) - [接口攻击](#interface-attacks) - [UART](#uart) - [JTAG](#jtag) - [SWD (Serial Wire Debug)](#swd-serial-wire-debug) - [SPI](#spi) - [I2C](#i2c) - [TPM](#tpm) - [内存提取](#memory-extraction) - [eMMC](#emmc) - [侧信道与故障注入](#side-channel-and-fault-injection) - [基础](#fundamentals-1) - [Glitching 攻击](#glitching-attacks) - [功耗分析](#power-analysis) - [无线协议](#wireless-protocols) - [RF 基础](#rf-fundamentals) - [蓝牙 / BLE](#bluetooth-ble) - [基础](#fundamentals-2) - [漏洞利用技术](#exploitation-techniques) - [漏洞研究](#vulnerability-research) - [会议演讲](#conference-talks) - [工具 - 软件](#tools-software) - [工具 - 硬件](#tools-hardware) - [工具](#tools) - [黑客攻击蓝牙咖啡机](#hacking-bluetooth-coffee-machines) - [Zigbee / Z-Wave](#zigbee-z-wave) - [基础](#fundamentals-3) - [漏洞利用](#exploitation) - [工具 - 软件](#tools-software-1) - [工具 - 硬件](#tools-hardware-1) - [LoRa / LoRaWAN](#lora-lorawan) - [基础](#fundamentals-4) - [漏洞利用](#exploitation-1) - [工具](#tools-1) - [Matter / Thread](#matter-thread) - [基础](#fundamentals-5) - [安全研究](#security-research) - [蜂窝网络 (GSM/LTE/5G)](#cellular-gsmlte5g) - [基础](#fundamentals-6) - [漏洞利用](#exploitation-2) - [工具](#tools-2) - [NFC/RFID](#nfcrfid) - [DECT (数字增强型无绳通信)](#dect-digital-enhanced-cordless-telecommunications) - [Wi-Fi](#wi-fi) - [协议漏洞](#protocol-vulnerabilities) - [漏洞利用](#exploitation-3) - [WiFi 逆向工程](#reverse-engineering-wifi) - [USB](#usb) - [UWB (超宽带)](#uwb-ultra-wideband) - [TETRA](#tetra) - [固件安全](#firmware-security) - [基础](#fundamentals-7) - [提取](#extraction) - [静态分析工具](#static-analysis-tools) - [动态分析与仿真](#dynamic-analysis-and-emulation) - [仿真教程](#emulation-tutorials) - [OTA 更新安全](#ota-update-security) - [基础](#fundamentals-8) - [攻击向量](#attack-vectors) - [RTOS 安全](#rtos-security) - [Zephyr RTOS](#zephyr-rtos) - [FreeRTOS](#freertos) - [逆向工程工具](#reverse-engineering-tools) - [逆向工程教程](#reverse-engineering-tutorials) - [Ghidra 教程](#ghidra-tutorials) - [在线汇编器](#online-assemblers) - [ARM 漏洞利用](#arm-exploitation) - [二进制分析](#binary-analysis) - [安全启动](#secure-boot) - [开发](#development) - [绕过](#bypasses) - [UEFI 安全](#uefi-security) - [符号链接攻击](#symlink-attacks) - [路由器固件分析](#router-firmware-analysis) - [路由器漏洞利用](#router-exploitation) - [Netgear 系列](#netgear-series) - [TP-Link 系列](#tp-link-series) - [Cisco 系列](#cisco-series) - [安全启动绕过](#secure-boot-bypasses) - [网络与 Web 协议](#network-and-web-protocols) - [MQTT](#mqtt) - [基础](#fundamentals-9) - [安全与漏洞利用](#security-and-exploitation) - [已知 CVE](#known-cves) - [工具](#tools-3) - [应用](#applications) - [恶意软件研究](#malware-research) - [CoAP](#coap) - [规范与安全](#specifications-and-security) - [工具 - 软件](#tools-software-2) - [工具 - 硬件](#tools-hardware-2) - [研究与教程](#research-and-tutorials) - [mTLS](#mTLS) - [IoT 协议概览](#iot-protocols-overview) - [云与后端安全](#cloud-and-backend-security) - [AWS IoT 安全](#aws-iot-security) - [基础](#fundamentals-10) - [工具](#tools-4) - [漏洞](#vulnerabilities) - [Firebase / 云配置错误](#firebase-cloud-misconfigurations) - [移动应用安全](#mobile-application-security) - [Android](#android) - [Android 内核漏洞利用](#android-kernel-exploitation) - [Android Scudo 分配器](#android-scudo-allocator) - [iOS](#ios) - [工业与汽车](#industrial-and-automotive) - [ICS/SCADA](#icsscada) - [汽车安全](#automotive-security) - [EV 充电器](#ev-chargers) - [支付系统](#payment-systems) - [ATM 黑客攻击](#atm-hacking) - [支付 Village](#payment-village) - [工具](#tools-5) - [硬件工具](#hardware-tools) - [多功能](#multi-purpose) - [调试适配器](#debug-adapters) - [RF/SDR](#rfsdr) - [USB](#usb-1) - [Glitching](#glitching) - [Flipper Zero](#flipper-zero) - [Hak5](#hak5) - [软件工具](#software-tools) - [漏洞利用框架](#exploitation-frameworks) - [固件分析](#firmware-analysis) - [Fuzzing 工具](#fuzzing-tools) - [基础](#fundamentals-11) - [IoT 专用 Fuzzing](#iot-specific-fuzzing) - [工具](#tools-6) - [渗透测试操作系统](#pentesting-operating-systems) - [搜索引擎](#search-engines) - [防御性安全](#defensive-security) - [威胁建模](#threat-modeling) - [STRIDE 框架](#stride-framework) - [IoT 专用威胁建模](#iot-specific-threat-modeling) - [安全开发](#secure-development) - [指南与标准](#guidelines-and-standards) - [加固指南](#hardening-guides) - [事件响应](#incident-response) - [学习资源](#learning-resources) - [培训平台](#training-platforms) - [速查表](#cheatsheets) - [漏洞指南](#vulnerability-guides) - [渗透测试指南](#pentesting-guides) - [YouTube 频道](#youtube-channels) - [书籍](#books) - [硬件黑客](#hardware-hacking) - [固件与逆向工程](#firmware-and-reverse-engineering) - [IoT 安全](#iot-security) - [无线与 RF](#wireless-and-rf) - [嵌入式与移动](#embedded-and-mobile) - [NFC/RFID](#nfcrfid-1) - [工业与通用安全](#industrial-and-general-security) - [白皮书与报告](#white-papers-and-reports) - [IoT 系列](#iot-series) - [实验室与 CTF](#labs-and-ctfs) - [易受攻击应用](#vulnerable-applications) - [IoT](#iot) - [路由器/固件](#routerfirmware) - [硬件](#hardware) - [无线](#wireless) - [工业](#industrial) - [VoIP](#voip) - [CTF 竞赛](#ctf-competitions) - [硬件 CTF](#hardware-ctfs) - [IoT CTF](#iot-ctfs) - [嵌入式/固件 CTF](#embeddedfirmware-ctfs) - [ARM CTF](#arm-ctfs) - [持续学习平台](#continuous-learning-platforms) - [实验室搭建](#lab-setup) - [研究与社区](#research-and-community) - [技术研究](#technical-research) - [博客](#blogs) - [社区平台](#community-platforms) - [Villages](#villages) - [值得关注的研究人员](#researchers-to-follow) - [特定设备研究](#device-specific-research) - [摄像头](#cameras) - [智能家居设备](#smart-home-devices) - [智能音箱](#smart-speakers) - [打印机](#printers) - [无人机](#drones) - [厨房电器](#kitchen-appliances) - [NAS 设备](#nas-devices) - [游戏主机](#game-consoles) - [手机/平板](#phonestablets) - [TrustZone 与 TEE 研究](#trustzone-and-tee-research) - [Pwn2Own 研究](#pwn2own-research) - [贡献](#contributing) - [许可证](#license) ## 硬件攻击 ### 基础 - [IoT 硬件指南](https://www.postscapes.com/internet-of-things-hardware/) - [硬件黑客入门 - 转储你的第一个固件](https://blog.nvisium.com/intro-to-hardware-hacking-dumping-your-first-firmware) - [硬件黑客简介](https://securityboulevard.com/2020/09/an-introduction-to-hardware-hacking/) - [用于 IoT 安全分析的硬件工具包](https://defcon-nn.ru/0x0B/Hardware%20toolkits%20for%20IoT%20security%20analysis.pdf) - [IoT 设备硬件黑客 - 进攻性 IoT 漏洞利用](https://resources.infosecinstitute.com/hardware-hacking-iot-devices-offensive-iot-exploitation/) ### 接口攻击 #### UART - [识别 UART 接口](https://www.mikroe.com/blog/uart-serial-communication) - [串口终端基础](https://learn.sparkfun.com/tutorials/terminal-basics/all) - [逆向工程串口](http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/) - [嵌入式逆向工程入门：通过 UBoot 进行 UART 发现和固件提取](https://voidstarsec.com/blog/uart-uboot-and-usb) - [使用 UART 连接中国 IP 摄像头](https://www.davidsopas.com/using-uart-to-connect-to-a-chinese-ip-cam/) - [IoT 硬件黑客之旅：UART](https://techblog.mediaservice.net/2019/03/a-journey-into-iot-hardware-hacking-uart/) - [通过 UART 访问和转储固件](https://www.cyberark.com/resources/threat-research-blog/accessing-and-dumping-firmware-through-uart) - [Linksys e1000 上的 UART 连接和动态分析](https://www.youtube.com/watch?v=ix6rSV2Dj44) - [UARTBruteForcer](https://github.com/FireFart/UARTBruteForcer) - [UART Exploiter](https://github.com/exploitsecurity.io/uart-exploiter) #### JTAG - [硬件黑客 101：JTAG 简介](https://www.riverloopsecurity.com/blog/2021/05/hw-101-jtag/) - [如何查找 JTAG 接口](https://www.youtube.com/watch?v=_FSM_10JXsM) - [分析 JTAG](https://nse.digital/pages/guides/hardware/jtag.html) - [Bus Pirate JTAG 连接与 OpenOCD](https://research.kudelskisecurity.com/2014/05/01/jtag-debugging-made-easy-with-bus-pirate-and-openocd/) - [通过 JTAG 从外部存储器提取固件](https://www.youtube.com/watch?v=IadnBUJAvks) - [iPhone Lightning 和 JTAG 黑客搭车客指南](https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/stacksmashing%20-%20The%20hitchhackers%20guide%20to%20iPhone%20Lightning%20%20%20JTAG%20hacking.pdf) - [通过 JTAG 调试 AVR 微控制器](https://hev0x.github.io/posts/debugging-avr-with-atmelice-and-gdb/) #### SWD (Serial Wire Debug) - [SWD 协议概述 - HardBreak Wiki](https://www.hardbreak.wiki/hardware-hacking/interface-interaction/jtag-swd/swd) - [揭示漏洞：探索硬件中的 SWD 攻击面](https://redfoxsec.com/blog/unveiling-vulnerabilities-exploring-swd-attack-surface-in-hardware/) - [ARM Serial Wire Debug 协议简介](https://developer.arm.com/documentation/ihi0031/a/The-Serial-Wire-Debug-Port--SW-DP-/Introduction-to-the-ARM-Serial-Wire-Debug--SWD--protocol) - [Serial Wire Debug 和 CoreSight 架构](https://community.nxp.com/pwmxy87654/attachments/pwmxy87654/imxrt/4786/2/Serial_Wire_Debug.pdf) - [LibSWD - Serial Wire Debug 开放库](https://github.com/cederom/LibSWD) - [硬件黑客与漏洞利用训练营 - SWD](https://happeningnext.com/event/hardware-hacking-and-exploitation-bootcamp-eid4sntq7lbas1) #### SPI - [硬件黑客 101：识别和转储 eMMC 闪存](https://www.riverloopsecurity.com/blog/2020/03/hw-101-emmc/) - [使用 Bus Pirate 从路由器转储固件 - SPI](https://www.iotpentest.com/2019/06/dumping-firmware-from-device-using.html) - [通过 SPI 提取存](https://akimbocore.com/article/extracting-flash-memory-over-spi/) - [从嵌入式设备提取固件 (SPI NOR Flash)](https://www.youtube.com/watch?v=nruUuDalNR0) - [如何使用编程器刷写路由器的闪存芯片](https://www.youtube.com/watch?v=fbt4OJXJdOc) - [TPM 2.0：通过 SPI 提取 Bitlocker 密钥](https://lucasteske.dev/2024/01/tpm2-bitlocker-keys) #### I2C - [IoT 安全第 16 部分：硬件攻击面 I2C](https://payatu.com/masterclass/iot-security-part-16-101-hardware-attack-surface-i2c/) - [I2C 漏洞利用 - HackTricks](https://book.hacktricks.xyz/todo/hardware-hacking/i2c) - [非侵入式 I2C 硬件木马攻击向量 (PDF)](https://hal.science/hal-03703165/document) - [硬件黑客：使用 Bus Pirate 进行 I2C 注入](http://www.rockfishsec.com/2014/09/hardware-hacking-i2c-injection-with-bus.html) - [保护 SPI、I2C 和 I3C 协议](https://ez.analog.com/ez-blogs/b/engineering-mind/posts/do-your-embedded-systems-safeguard-against-threats-to-spi-i2c-and-i3c) #### TPM - [TPM (可信平台模块) 简介](https://sergioprado.blog/introduction-to-tpm-trusted-platform-module/) - [可信平台模块安全在 30 分钟内被攻破](https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/) ### 内存提取 #### eMMC - [eMMC 协议](https://prodigytechno.com/emmc-protocol/) - [RPMB：eMMC 内部的秘密之地](https://sergioprado.blog/rpmb-a-secret-place-inside-the-emmc/) - [从损坏的智能手机中进行 eMMC 数据恢复](https://dangerouspayload.com/2018/10/24/emmc-data-recovery-from-damaged-smartphone/) - [释放你的智能家居设备：扫地机器人黑客攻击](https://media.ccc.de/v/34c3-9147-unleash_your_smart-home_devices_vacuum_cleaning_robot_hacking) - [IoT 黑客实战：Rapid7 在 DEF CON 30](https://www.rapid7.com/blog/post/2022/10/18/hands-on-iot-hacking-rapid7-at-def-con-30-iot-village-part-1/) ### 侧信道与故障注入 #### 基础 - [侧信道攻击 - Yifan Lu](https://yifan.lu/) - [对安全系统实现的攻击](https://github.com/Yossioren/AttacksonImplementationsCourseBook) - [Fuzzing、二进制分析、IoT 安全合集](https://github.com/0xricksanchez/paper_collection) #### Glitching 攻击 - [针对 Wink Hub 的 NAND Glitching 攻击](http://www.brettlischalk.com/posts/nand-glitching-wink-hub-for-root) - [使用 Crowbars 进行电压 Glitching 教程](https://wiki.newae.com/index.php?title=Tutorial_CW305-4_Voltage_Glitching_with_Crowbars) - [使用 iCEstick Glitcher 进行电压 Glitching 攻击](https://www.youtube.com/watch?v=FVUhVewFmxw) - [FPGA Glitching 和侧信道攻击 - Samy Kamkar](https://www.youtube.com/watch?v=oGndiX5tvEk) - [硬件电源 Glitch 攻击 - rhme2](https://www.youtube.com/watch?v=6Pf3pY3GxBM) - [闪存中的密钥 - 从 Arduino Glitching AES 密钥](https://srfilipek.medium.com/keys-in-a-flash-3e984d0de54b) - [实施实用的电气 Glitching 攻击](https://blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf) - [如何进行电压故障注入](https://www.synacktiv.com/publications/how-to-voltage-fault-injection) - [Glitcher 第 1 部分 - STM32 微控制器上的可复现电压 Glitching](https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage-glitching-on-stm32-microcontrollers/) - [STM32L05 电压 Glitching](https://blog.syss.com/posts/voltage-glitching-the-stm32l05-microcontroller/) #### 功耗分析 - [使用 ChipWhisperer 破解 AES](https://www.youtube.com/watch?v=FktI4qSjzaE) - [ChipWhisperer Wiki](http://wiki.newae.com/Main_Page) - [Rowhammer 位翻转以窃取加密密钥](https://arstechnica.com/information-technology/2019/06/researchers-use-rowhammer-bitflips-to-steal-2048-bit-crypto-key/) #### 其他微控制器 - [转储 Amlogic A113X Bootrom](https://haxx.in/posts/dumping-the-amlogic-a113x-bootrom/) - [重走 AMLogic A113X TrustZone 漏洞利用流程](https://boredpentester.com/retreading-the-amlogic-a113x-trustzone-exploit-process/) - [逆向工程未知微控制器](https://dmitry.gr/?r=05.Projects&proj=30.%20Reverse%20Engineering%20an%20Unknown%20Microcontroller) - [通过 USB 黑客攻击微控制器固件](https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/) - [你的 SoC 有个洞：Glitching MediaTek BootROM](https://research.nccgroup.com/2020/10/15/theres-a-hole-in-your-soc-glitching-the-mediatek-bootrom/) ### PCIe 和 DMA 攻击 - [面向 Windows 初学者的 PCIe 实践教程 - 第 1 部分](https://ctf.re/windows/kernel/pcie/tutorial/2023/02/14/pcie-part-1/) - [面向 Windows 初学者的 PCIe 实践教程 - 第 2 部分](https://ctf.re/kernel/pcie/tutorial/dma/mmio/tlp/2024/03/26/pcie-part-2/) - [针对受保护 Jetson Nano 的 PCIe DMA 攻击 (CVE-2022-21819)](https://www.thegoodpenguin.co.uk/blog/pcie-dma-attack-against-a-secured-jetson-nano-cve-2022-21819/) ## 无线协议 ### RF 基础 - [软件定义无线电完整课程 - Michael Ossmann](https://greatscottgadgets.com/sdr/) - [SDR 笔记 - 无线电 IoT 协议概览](https://github.com/notpike/SDR-Notes) - [理解无线电](https://www.taitradioacademy.com/lessons/introduction-to-radio-communications-principals/) - [软件定义无线电简介](https://www.allaboutcircuits.com/technical-articles/introduction-to-software-defined-radio/) - [GNU Radio Companion 简介](https://wiki.gnuradio.org/index.php/Guided_Tutorial_GRC) - [在 GNU Radio Companion 中创建流图](https://blog.didierstevens.com/2017/09/19/quickpost-creating-a-simple-flow-graph-with-gnu-radio-companion/) - [分析 433MHz 无线电信号](https://www.rtl-sdr.com/analyzing-433-mhz-transmitters-rtl-sdr/) - [录制特定无线电信号](https://www.rtl-sdr.com/freqwatch-rtl-sdr-frequency-scanner-recorder/) - [使用 Raspberry Pi 和 rpitx 进行重放攻击](https://www.rtl-sdr.com/tutorial-replay-attacks-with-an-rtl-sdr-raspberry-pi-and-rpitx/) - [逆向工程汽车遥控钥匙信号](https://0x44.cc/radio/2024/03/13/reversing-a-car-key-fob-signal.html) - [GRCON 2021 - 捕获信号](https://blog.tclaverie.eu/posts/grcon-2021---capture-the-signal/) ### 蓝牙 / BLE #### 基础 - [Awesome Bluetooth Security](https://github.com/engn33r/awesome-bluetooth-security) - [BLE-NullBlr：BLE 理解与漏洞利用分步指南](https://github.com/V33RU/BLE-NullBlr) - [蓝牙微微网中的流量工程](http://www.diva-portal.org/smash/get/diva2:833159/FULLTEXT01.pdf) - [BLE 特性：初学者教程](https://devzone.nordicsemi.com/nordic/short-range-guides/b/bluetooth-low-energy/posts/ble-characteristics-a-beginners-tutorial) - [低功耗蓝牙简介 (PDF)](https://daskalakispiros.com/files/Ebooks/Intro+to+Bluetooth+Low+Energy+v1.1.pdf) - [蓝牙 LE 安全学习指南](https://www.bluetooth.com/bluetooth-resources/le-security-study-guide/) - [逆向工程 BLE 设备](https://reverse-engineering-ble-devices.readthedocs.io/en/latest/) - [我逆向工程智能手环的旅程 — Bluetooth-LE RE](https://medium.com/@arunmag/my-journey-towards-reverse-engineering-a-smart-band-bluetooth-le-re-d1dea00e4de2) #### 漏洞利用技术 - [Intel Edison 作为蓝牙 LE 漏洞利用盒子](https://medium.com/@arunmag/intel-edison-as-bluetooth-le-exploit-box-a63e4cad6580) - [逆向工程并利用智能按摩器](https://medium.com/@arunmag/how-i-reverse-engineered-and-exploited-a-smart-massager-ee7c9f21bf33) - [我黑掉了小米手环 3](https://medium.com/@yogeshojha/i-hacked-xiaomi-miband-3-and-here-is-how-i-did-it-43d68c272391) - [GATTacking 蓝牙智能设备](https://securing.pl/en/gattacking-bluetooth-smart-devices-introducing-a-new-ble-proxy-tool/index.html) - [检查 August 智能锁](https://blog.quarkslab.com/examining-the-august-smart-lock.html) - [BLE GATT 逆向工程实践简介](https://jcjc-dev.com/2023/03/19/reversing-domyos-el500-elliptical/) - [MojoBox - 又一个不那么智能的锁](https://mandomat.github.io/2023-03-15-testing-mojobox-security/) - [蓝牙智能锁](https://www.getkisi.com/blog/smart-locks-hacked-bluetooth-ble) - [蓝牙信标漏洞](https://www.beaconzone.co.uk/blog/category/security/) - [拒绝快乐：使用 Flipper Zero 攻击不寻常的 BLE 目标](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero) - [侠盗猎车手：BLE 中继攻击一瞥](https://rollingpwn.github.io/BLE-Relay-Aattck/) - [我如何黑掉智能灯：CVE-2022-47758](https://pwning.tech/cve-2022-47758/) - [针对特斯拉 Model Y 的 NFC 中继攻击](https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf) #### 漏洞研究 - [发现蓝牙中的漏洞](https://bluetooth.lol/) - [Sweyntooth 漏洞](https://asset-group.github.io/disclosures/sweyntooth/) - [BrakTooth：在蓝牙链路管理器上制造混乱](https://asset-group.github.io/disclosures/braktooth/) - [BLUFFS：蓝牙前向与未来保密攻击 (CVE-2023-24023)](https://github.com/francozappa/bluffs) - [AirDrop 泄露 - 从 Apple 设备嗅探 BLE 流量](https://github.com/hexway/apple_bleee) - [BleedingTooth：Linux 蓝牙零点击远程代码执行](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html) - [BRAKTOOTH：在蓝牙链路管理器上制造混乱 (PDF)](https://asset-group.github.io/disclosures/braktooth/braktooth.pdf) - [Norec 攻击：从 Nordic 库中剥离 BLE 加密 (CVE-2020-15509)](https://infosecwriteups.com/norec-attack-stripping-ble-encryption-from-nordics-library-cve-2020-15509-9798ab893b95) #### 会议演讲 - [Blue2thprinting：我到底在看什么？](https://darkmentor.com/publication/2023-11-hardweario/) - [开放性伤口：过去五年让蓝牙流血不止](https://darkmentor.com/publication/2023-10-hacklu/) - [疫情期间隔着口罩嗅探蓝牙](https://darkmentor.com/publication/2023-08-hitb/) #### 工具 - 软件 - [Bluing - 蓝牙情报收集](https://github.com/fO-000/bluing) - [BlueToolkit - 蓝牙经典漏洞测试](https://github.com/sgxgsx/BlueToolkit) - [btproxy](https://github.com/conorpp/btproxy) - [hcitool 和 bluez](https://www.pcsuggest.com/linux-bluetooth-setup-hcitool-bluez) - [使用 GATT Tool 进行测试](https://www.jaredwolff.com/blog/get-started-with-bluetooth-low-energy/) - [crackle - 破解 BLE 加密](https://github.com/mikeryan/crackle) - [bettercap](https://github.com/bettercap/bettercap) - [BtleJuice - 蓝牙智能 MITM 框架](https://github.com/DigitalSecurity/btlejuice) - [GATTacker](https://github.com/securing/gattacker) - [BTLEjack - BLE 瑞士军刀](https://github.com/virtualabs/btlejack) - [DEDSEC 蓝牙漏洞利用](https://github.com/0xbitx/DEDSEC-Bluetooth-exploit) - [BrakTooth ESP32 PoC](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks) - [SweynTooth BLE 攻击](https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks) - [ESP32 蓝牙经典嗅探器](https://github.com/Matheus-Garbelini/esp32_bluetooth_classic_sniffer) - [蓝牙黑客合集](https://github.com/zedxpace/bluetooth-hacking-) #### 工具 - 硬件 - [nRF52840 Dongle](https://www.nordicsemi.com/Software-and-tools/Development-Kits/nRF52840-Dongle) - [Ubertooth One](https://github.com/greatscottgadgets/ubertooth/wiki/Ubertooth-One) - [CSR 4.0 蓝牙适配器](https://www.amazon.in/GENERIC-Ultra-Mini-Bluetooth-Dongle-Adapter/dp/B0117H7GZ6/) - [ESP32](https://www.espressif.com/en/products/hardware/esp32/overview) - [Sena UD100](http://www.senanetworks.com/ud100-g03.html) - [ESP-WROVER-KIT](https://www.digikey.in/en/products/detail/espressif-systems/ESP-WROVER-KIT-VB/8544301) #### 工具 - [ice9-bluetooth-sniffer](https://github.com/mikeryan/ice9-bluetooth-sniffer) - [InternalBlue - 蓝牙实验框架](https://github.com/seemoo-lab/internalblue) #### 黑客攻击蓝牙咖啡机 - [黑客攻击蓝牙以从 Github Actions 冲咖啡 - 第 1 部分](https://grack.com/blog/2022/12/01/hacking-bluetooth-to-brew-coffee-on-github-actions-part-1/) - [黑客攻击蓝牙以从 Github Actions 冲咖啡 - 第 2 部分](https://grack.com/blog/2022/12/02/hacking-bluetooth-to-brew-coffee-on-github-actions-part-2/) - [黑客攻击蓝牙以从 Github Actions 冲咖啡 - 第 3 部分](https://grack.com/blog/2022/12/04/hacking-bluetooth-to-brew-coffee-on-github-actions-part-3/) ### Zigbee / Z-Wave #### 基础 - [简介与协议概览](http://www.informit.com/articles/article.aspx?p=1409785) - [ZigBee 和 Z-Wave 安全简报](http://www.riverloopsecurity.com/blog/2018/05/zigbee-zwave-part1/) - [黑客攻击 ZigBee 网络](https://resources.infosecinstitute.com/topic/hacking-zigbee-networks/) #### 漏洞利用 - [使用 Attify Zigbee 框架黑客攻击 IoT 设备](https://blog.attify.com/hack-iot-devices-zigbee-sniffing-exploitation/) - [Zigator：分析支持 Zigbee 的智能家居的安全性](https://mews.sv.cmu.edu/papers/wisec-20.pdf) - [使用 Zigator 和 GNU Radio 进行 Zigbee 安全分析](https://mews.sv.cmu.edu/research/zigator/testbed-grcon2020-slides.pdf) - [低成本 ZigBee 选择性干扰](https://www.bastibl.net/reactive-zigbee-jamming/) #### 工具 - 软件 - [Killerbee](https://github.com/riverloopsec/killerbee) - [ZigDiggity](https://github.com/BishopFox/zigdiggity) - [Zigator](https://github.com/akestoridis/zigator) - [Z3sec](https://github.com/IoTsec/Z3sec) - [zigbear](https://github.com/philippnormann/zigbear) #### 工具 - 硬件 - [ApiMote](https://www.riverloopsecurity.com/projects/apimote/) - [RaspBee](https://phoscon.de/en/raspbee/) - [ATUSB IEEE 802.15.4 适配器](http://shop.sysmocom.de/products/atusb) - [USRP](https://www.ettus.com/products/) ### LoRa / LoRaWAN - [LoRaWAN 安全概述 - Tektelic](https://tektelic.com/expertise/lorawan-security/) - [LoRaWAN 中的安全漏洞](https://www.cyber-threat-intelligence.com/publications/IoTDI2018-LoraWAN.pdf) - [低功耗与高风险：对 LoRaWAN 设备的攻击](https://www.trendmicro.com/en_us/research/21/a/Low-Powered-but-High-Risk-Evaluating-Possible-Attacks-on-LoRaWAN-Devices.html) - [LAF - LoRaWAN 审计框架](https://github.com/IOActive/laf) - [ChirpOTLE - LoRaWAN 安全框架](https://github.com/seemoo-lab/chirpotle) #### 基础 - [LoRaWAN 安全调查 - ScienceDirect](https://www.sciencedirect.com/science/article/abs/pii/S2542660520301359) - [LoRaWAN - 维基百科](https://en.wikipedia.org/wiki/LoRa) #### 漏洞利用 - [数百万使用 LoRaWAN 的设备面临风险 - SecurityWeek](https://www.securityweek.com/millions-devices-using-lorawan-exposed-hacker-attacks/) - [你是否盲目信任 LoRaWAN 网络？ - IOActive](https://www.ioactive.com/do-you-blindly-trust-lorawan-networks-for-iot/) - [LoRaWAN 加密密钥易于破解 - Threatpost](https://threatpost.com/lorawan-encryption-keys-easy-to-crack-jeopardizing-security-of-iot-networks/152276/) - [LoPT：LoRa 渗透测试工具 (PDF)](https://www.ijitee.org/wp-content/uploads/papers/v8i9S2/I10810789S219.pdf) #### 工具 - [LoRa Craft - 数据包拦截](https://github.com/PentHertz/LoRa_Craft) - [开源 LoRaWAN 黑客工具](https://www.thethingsnetwork.org/forum/t/open-source-tool-for-hacking-auditing-and-monitoring-lorawan-networks/31185) - [LoRaWAN Hackaday 项目](https://hackaday.com/tag/lorawan/) ### Matter / Thread #### 基础 - [Matter 标准 - CSA-IoT](https://csa-iot.org/all-solutions/matter/) - [Matter 协议 维基百科](https://en.wikipedia.org/wiki/Matter_(standard)) - [Matter 协议完整指南 2025](https://thinkrobotics.com/blogs/learn/matter-protocol-explained-for-smart-homes-complete-guide-2025) - [如何使用 Matter 保护智能家居设备](https://www.iot-now.com/2022/07/12/122292-how-to-secure-smart-home-devices-with-the-matter-standard/) - [智能家居设备 Matter 解决方案 - DigiCert](#uart) #### 安全研究 - [带有 Matter 的智能家居中的安全漏洞和攻击场景](https://www.ndss-symposium.org/wp-content/uploads/2024/07/sdiotsec2024-48-paper.pdf) - [信任很重要：揭示 Matter 协议中的漏洞 - Nozomi](https://www.nozominetworks.com/blog/trust-matters-uncovering-vulnerabilities-in-the-matter-protocol) - [Matter over Thread 安全](https://sensereo.com/community/matter-over-thread-security-how-safe-is-your-smart-home-network/) - [物联网无线 PAN 协议安全最新技术综述](https://www.mdpi.com/2073-8994/12/4/579) - [Matter 智能家居 - Krasamo](https://www.krasamo.com/matter-smart-home/) ### 蜂窝网络 (GSM/LTE/5G) - [Awesome Cellular Hacking](https://github.com/W00t3k/Awesome-Cellular-Hacking/) - [GSM 安全简介](http://www.pentestingexperts.com/introduction-to-gsm-security/) - [在二层破解 LTE](https://alter-attack.net/) - [5Ghoul - 5G NR 攻击与 Fuzzing](https://github.com/asset-group/5ghoul-5g-nr-attacks) - [利用 MediaTek 基带中的 CSN.1 漏洞](https://labs.taszk.io/articles/post/mtk_baseband_csn1_exploitation/) - [SIM 劫持](https://sensepost.com/blog/2022/sim-hijacking/) - [SigPloit - 电信信令漏洞利用框架](https://github.com/SigPloiter/SigPloit) - [LTE 嗅探器](https://github.com/SysSec-KAIST/LTESniffer) #### 基础 - [GSM 安全第 2 部分](https://www.ehacking.net/2011/02/gsm-security-2.html) - [什么是基站收发台](https://en.wikipedia.org/wiki/Base_transceiver_station) - [SS7 信令简介](https://www.patton.com/whitepapers/Intro_to_SS7_Tutorial.pdf) - [SS7 网络架构](https://youtu.be/pg47dDUL1T0) - [SIGTRAN 简介](https://www.youtube.com/watch?v=XUY6pyoRKsg) #### 漏洞利用 - [如何搭建你自己的恶意 GSM 基站](https://l33t.gg/how-to-build-a-rogue-gsm-bts/) - [使用 USRP B200 进行 GSM 漏洞利用](https://ieeexplore.ieee.org/document/7581461/) - [4G (LTE) 网络安全测试](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-44con-lte-presentation-2012-09-11.pdf) - [SS7/SIGTRAN 评估案例研究](https://nullcon.net/website/archives/pdf/goa-2017/case-study-of-SS7-sigtran.pdf) #### 工具 - [ss7MAPer - SS7 渗透测试工具包](https://n0where.net/ss7-pentesting-toolkit-ss7maper) - [恶意基站检测器 (SCL-8521)](https://www.shoghicom.com/fake-bts-detector.php) ### NFC/RFID - [Awesome RFID/NFC 安全演讲](https://github.com/doegox/awesome-rfid-talks) - [RFID Discord 群组](https://discord.gg/Z43TrcVyPr) - [SoK：EMV 非接触式支付系统的安全性](https://arxiv.org/pdf/2504.12812) ### DECT (数字增强型无绳通信) - [DECT 无绳电话的实时拦截](https://www.youtube.com/watch?v=MDF1eUvOte0) - [窃听未加密的 DECT 语音流量](https://www.youtube.com/watch?v=WBvYsXrs3DI) - [解码 DECT 语音流量：深入解释](https://www.youtube.com/watch?v=oiMkirm_xfY) ### Wi-Fi #### 协议漏洞 - [帧中帧：通过操纵传输队列绕过 Wi-Fi 加密](https://papers.mathyvanhoef.com/usenix2023-wifi.pdf) - [无需恶意 AP 的中间人攻击：当 WPA 遇到 ICMP 重定向](https://csis.gmu.edu/ksun/publications/WiFi_Interception_SP23.pdf) - [WPAxFuzz：嗅探 Wi-Fi 实现中的漏洞](https://www.mdpi.com/2410-387X/6/4/53/) - [解结：攻破家庭无线网格网络中的访问控制](https://www.cs.ucr.edu/%7Ezhiyunq/pub/ccs24_wireless_mesh.pdf) #### 漏洞利用 - [空中攻击：利用 Broadcom 的 Wi-Fi 协议栈 (第 1 部分)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html) - [空中攻击：利用 Broadcom 的 Wi-Fi 协议栈 (第 2 部分)](https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html) - [空中攻击：利用 Apple 设备上的 Wi-Fi 协议栈](https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html) - [逆向工程 Broadcom 无线芯片组](https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html) - [空中利用 Qualcomm WLAN 和调制解调器](https://i.blackhat.com/USA-19/Thursday/us-19-Pi-Exploiting-Qualcomm-WLAN-And-Modem-Over-The-Air-wp.pdf) - [Windows Wi-Fi 驱动程序 RCE 漏洞 – CVE-2024-30078](https://www.crowdfense.com/windows-wi-fi-driver-rce-vulnerability-cve-2024-30078/) - [当 Wi-Fi SSID 让你在 MT02 中继器上获得 Root 权限 - 第 1 部分](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root/) - [当 Wi-Fi SSID 让你在 MT02 中继器上获得 Root 权限 - 第 2 部分](https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/) #### 逆向工程 WiFi - [在 RISC-V BL602 上逆向工程 WiFi](https://lupyuen.github.io/articles/wifi) - [揭示 ESP32 的秘密：创建开源 MAC 层](https://zeus.ugent.be/blog/23-24/open-source-esp32-wifi-mac/) - [揭示 ESP32 的秘密：逆向工程 RX](https://zeus.ugent.be/blog/23-24/esp32-reverse-engineering-continued/) ### USB - [关于 USB-C 的一切：黑客入门](https://hackaday.com/2022/12/06/usb-c-introduction-for-hackers/) - [嗨，我的名字是键盘](https://github.com/skysafe/reblog/blob/main/cve-2024-0230/README.md) - [如何武器化 Yubikey](https://www.blackhillsinfosec.com/how-to-weaponize-the-yubikey/) ### UWB (超宽带) - [UWB 实时定位系统：安全无线电通信在实践中如何失败](https://uploads-ssl.webflow.com/645a4534705010e2cb244f50/64912bac55ece2717e14e84a_Nozomi-Networks-WP-UWB-Real-Time-Locating-Systems.pdf) ### TETRA - [所有警察都在广播：TETRA 受到审查](https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64d42fcc2e3fdcf3d323f3d9_All_cops_are_broadcasting_TETRA_under_scrutiny.pdf) ## 固件安全 ### 基础 - [固件分析简介 - OWASP](https://www.owasp.org/index.php/IoT_Firmware_Analysis) - [OWASP 固件安全测试方法](https://scriptingxss.gitbook.io/firmware-security-testing-methodology/) - [IoT 安全验证标准 (ISVS)](https://github.com/OWASP/IoT-Security-Verification-Standard-ISVS) - [逆向工程 101](https://0xinfection.github.io/reversing/) - [固件提取、探索与仿真实践](https://github.com/onekey-sec/BHEU23-firmware-workshop) ### 提取 - [路由器分析第 1 部分：UART 发现和 SPI 闪存提取](https://wrongbaud.github.io/posts/router-teardown/) - [硬件黑客教程：转储和逆向工程固件](https://ivanorsolic.github.io/post/hardwarehacking1/) - [固件样本 - firmware.center](https://firmware.center/) - [BasicFUN 系列：硬件分析 / SPI 闪存提取](https://wrongbaud.github.io/posts/BasicFUN-flashing/) - [BasicFUN 系列：固件逆向工程 / 重刷 SPI 闪存](https://wrongbaud.github.io/posts/BasicFUN-rom-analysis/) - [改装加密固件是个坏主意](https://haxx.in/posts/wtm-wtf/) ### 静态分析工具 - [EMBA - 嵌入式 Linux 固件分析器](https://p4cx.medium.com/emba-b370ce503602) - [FACT - 固件分析和比较工具](https://github.com/fkie-cad/FACT_core) - [Binwalk v3](https://github.com/ReFirmLabs/binwalk/tree/binwalkv3) - [Firmwalker](https://github.com/craigz28/firmwalker) - [fwanalyzer](https://github.com/cruise-automation/fwanalyzer) - [fwhunt-scan - UEFI 固件分析](https://github.com/binarly-io/fwhunt-scan) - [ByteSweep](https://gitlab.com/bytesweep/bytesweep) - [QueryX - 静态污点跟踪](https://github.com/RiS3-Lab/QueryX) - [FirmGraph](https://github.com/ucsb-seclab/firmgraph) - [BINSEC](https://github.com/binsec/binsec) - [unblob - 提取框架](https://github.com/onekey-sec/unblob) - [fchk - 固件安全检查](https://github.com/IOActive/fchk) - [Checksec.sh](https://github.com/slimm609/checksec.sh) - [固件修改套件](https://code.google.com/archive/p/firmware-mod-kit/) ### 动态分析与仿真 - [Firmadyne - 自动化固件仿真](https://github.com/firmadyne/firmadyne) - [FirmAE - 固件分析与仿真](https://github.com/firmadyne/firmAE) - [QEMU](https://www.qemu.org/) - [PANDA - 架构中立的动态分析](https://github.com/panda-re/panda) - [Avatar2 - 动态固件分析](https://github.com/avatartwo/avatar2) - [Renode - 嵌入式系统模拟器](https://github.com/renode/renode) - [Unicorn Engine - CPU 模拟器](https://github.com/unicorn-engine/unicorn) - [Qiling 框架](https://github.com/qilingframework/qiling) - [HALucinator](https://github.com/ucsb-seclab/HALucinator) - [FirmWire - 基带固件仿真](https://github.com/FirmWire/FirmWire) - [SymQEMU](https://github.com/weiwei1116/symqemu) - [S2E - 选择性符号执行](https://github.com/S2E/s2e) - [Bochs - x86 模拟器](https://github.com/bochs-dev-team/bochs) - [SAME70 模拟器](https://www.0x01team.com/sw_security/same70-emulator/) - [模拟直到成功](https://www.hexacon.fr/slides/hexacon_draytek_2022_final.pdf) #### 仿真教程 - [使用 QEMU 进行固件仿真](https://www.youtube.com/watch?v=G0NNBloGIvs) - [仿真 ARM 路由器固件 - Azeria Labs](https://azeria-labs.com/emulating-arm-firmware/) - [轻松仿真 IoT 固件](https://boschko.ca/qemu-emulating-firmware/) - [IoT 二进制分析与仿真第 1 部分](https://hacklido.com/blog/529-iot-binary-analysis-emulation-part-1) - [使用 QEMU 进行 ARM/MIPS 交叉调试](https://reverseengineering.stackexchange.com/questions/8829/cross-debugging-for-arm-mips-elf-with-qemu-toolchain) - [QEMU + Buildroot 101](https://gitbook.seguranca-informatica.pt/arm/tools/qemu-101) - [使用 Qiling 模拟和挖掘固件漏洞](https://blog.vincss.net/2020/12/pt007-simulating-and-hunting-firmware-vulnerabilities-with-Qiling.html) - [Qiling 和二进制仿真用于自动解包](https://kernemporium.github.io/articles/en/auto_unpacking/m.html) - [调试 D-Link：仿真固件和黑客硬件](https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware) - [面向多架构 IoT 的自适应仿真框架](https://www.techscience.com/cmc/v75n2/52069/pdf) - [通过无效性引导知识推断进行自动固件仿真](https://www.usenix.org/conference/usenixsecurity21/presentation/zhou) - [使用 Unicorn Engine 仿真 RH850 架构](https://blog.quarkslab.com/emulating-rh850-architecture-with-unicorn-engine.html) - [Icicle：专为灰盒固件 Fuzzing 重新设计的模拟器](https://arxiv.org/pdf/2301.13346.pdf) - [仿真六款当前冰岛家用路由器时的挑战与陷阱](https://skemman.is/bitstream/1946/50456/1/Challenges_and_Pitfalls_while_Emulating_Six_Current_Icelandic_Household_Routers.pdf) - [我的仿真飞向月球... 直到假旗行动](https://retooling.io/blog/my-emulation-goes-to-the-moon-until-false-flag) - [如何使用 Qiling 仿真 Android 原生库](https://www.appknox.com/security/how-to-emulate-android-native-libraries-using-qiling) ### OTA 更新安全 #### 基础 - [IoT 固件安全与更新机制](https://www.encryptionconsulting.com/iot-firmware-security-and-update-mechanisms-a-deep-dive/) - [为 IoT 设备实施 OTA 更新](https://www.kaaiot.com/iot-knowledge-base/implementing-over-the-air-updates-for-iot-devices) - [安全 OTA 引导链和固件验证](https://promwad.com/news/secure-ota-boot-chains-firmware-verification) - [互联 IoT 设备固件安全的关键](https://www.keyfactor.com/blog/firmware-security-iot-devices/) - [OTA 更新的安全注意事项 - Stack Overflow](https://stackoverflow.blog/2020/12/14/security-considerations-for-ota-software-updates-for-iot-gateway-devices/) #### 攻击向量 - [十大 IoT 漏洞 - OTA 更新攻击](https://www.keyfactor.com/blog/top-10-iot-vulnerabilities-in-your-devices/) - [2025 年更新 IoT 设备：最佳实践](https://stormotion.io/blog/updating-iot-devices/) - [IoT 固件漏洞与审计技术回顾](https://pmc.ncbi.nlm.nih.gov/articles/PMC10821153/) - [安全 OTA 固件更新机制 (PDF)](https://ecejournals.in/index.php/ESA/article/download/397/632/2072) ### RTOS 安全 #### Zephyr RTOS - [Zephyr RTOS GitHub](https://github.com/zephyrproject-rtos/zephyr) - [Zephyr 漏洞列表](https://docs.zephyrproject.org/latest/security/vulnerabilities.html) - [NCC Group Zephyr 和 MCUboot 安全评估](https://www.nccgroup.com/us/research-blog/research-report-zephyr-and-mcuboot-security-assessment/) - [Zephyr 和 MCUboot 中的 26 个漏洞](https://embeddedcomputing.com/technology/open-source/linux-freertos-related/another-iot-security-uh-oh-26-flaws-in-open-source-zephyr-and-mcuboot-stacks) - [应对 Zephyr RTOS 中的安全挑战](https://www.electronicdesign.com/technologies/embedded/article/21215503/percepio-tackling-security-and-reliability-in-the-zephyr-rtos) - [利用 Zephyr RTOS 增强安全性](https://witekio.com/blog/zephyr-rtos-security/) #### FreeRTOS - [FreeRTOS TCP/IP 协议栈中的 13 个漏洞](https://hub.packtpub.com/freertos-affected-by-13-vulnerabilities-in-its-tcp-ip-stack/) - [利用 FreeRTOS 中的内存破坏 - ShmooCon](https://shmoo.gitbook.io/2016-shmoocon-proceedings/bring_it_on/01_exploiting_memory_corruption) - [RTOS 安全分析 - USENIX](https://www.usenix.org/system/files/usenixsecurity25-shao.pdf) - [RTOS 的动态漏洞修补](https://www.arxiv.org/pdf/2509.10213) - [AWS FreeRTOS 漏洞](https://info.cgcompliance.com/blog/vulnerabilities-in-the-aws-iot-platform-you-should-know-about) ### 逆向工程工具 - [Ghidra](https://github.com/NationalSecurityAgency/ghidra) - [IDA Pro](https://www.hex-rays.com/products/ida/) - [Radare2](https://www.rada.re/n/) - [Cutter - Radare2 的 GUI](https://github.com/rizinorg/cutter) - [Binary Ninja](https://binary.ninja/) - [GDB](https://www.gnu.org/software/gdb/) - [RetDec - 反编译器](https://github.com/avast/retdec) - [Diaphora - 二进制差异比对](https://github.com/joxeankoret/diaphora) - [Angr - 二进制分析](https://github.com/angr/angr) - [Frida - 动态插桩](https://github.com/frida/frida) - [Ret-sync](https://github.com/bootleg/ret-sync) - [OllyDbg](http://www.ollydbg.de/) - [x64dbg](https://x64dbg.com/) - [Hopper](https://www.hopperapp.com/) - [Immunity Debugger](https://www.immunityinc.com/products/debugger/) - [PEiD](https://www.aldeid.com/wiki/PEiD) - [Ghidriff - Ghidra 二进制差异比对引擎](https://github.com/clearbluejar/ghidriff) - [rev.ng 反编译器开源](https://rev.ng/blog/open-sourcing-renvg-decompiler-ui-closed-beta) - [Cutter 简介](https://goggleheadedhacker.com/post/intro-to-cutter) - [pyghidra-mcp：无头 Ghidra MCP 服务器](https://clearbluejar.github.io/posts/pyghidra-mcp-headless-ghidra-mcp-server-for-project-wide-multi-binary-analysis/) - [Mindshare：使用 Binary Ninja API 检测潜在 Use-after-free 漏洞](https://www.zerodayinitiative.com/blog/2025/3/20/mindshare-using-binary-ninja-api-to-detect-potential-use-after-free-vulnerabilities) #### 逆向工程教程 - [使用 Ghidra 进行逆向工程和补丁](https://www.coalfire.com/the-coalfire-blog/reverse-engineering-and-patching-with-ghidra) - [ Ghidra 进行逆向工程：破解固件加密](https://www.youtube.com/watch?v=4urMITJKQQs) - [使用 Radare 逆向固件](https://www.bored-nerds.com/reversing/radare/automotive/2019/07/07/reversing-firmware-with-radare.html) - [逆向 ESP8266 固件](https://boredpentester.com/reversing-esp8266-firmware-part-1/) - [使用 Ghidra 和 Semgrep 自动化二进制漏洞发现](https://security.humanativaspa.it/automating-binary-vulnerability-discovery-with-ghidra-and-semgrep/) - [在 Netgear 路由器中发现漏洞](https://flattsecurity.medium.com/finding-bugs-to-trigger-unauthenticated-command-injection-in-a-netgear-router-psv-2022-0044-2b394fb9edc) #### Ghidra 教程 - [Ghidra 调试器课程](https://github.com/NationalSecurityAgency/ghidra/tree/master/GhidraDocs/GhidraDocs/GhidraClass/Debugger) - [Ghidra 101：光标文本高亮](https://www.tripwire.com/state-of-security/ghidra-101-cursor-text-highlighting) - [Ghidra 101：解码栈字符串](https://www.tripwire.com/state-of-security/ghidra-101-decoding-stack-strings) - [扩展 Ghidra 第 1 部分：设置开发环境](https://voidstarsec.com/blog/ghidra-dev-environment) - [扩展巨龙：向 Ghidra 添加 ISA](https://trenchant.io/expanding-the-dragon-adding-an-isa-to-ghidra/) - [Ghidra nanoMIPS ISA 模块](https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/) - [Ghidra 中的二进制类型推断](https://blog.trailofbits.com/2024/02/07/binary-type-inference-in-ghidra/) - [编写 Ghidra 处理器模块](https://irisc-research-syndicate.github.io/2025/02/14/writing-a-ghidra-processor-module/) ### 在线汇编器 - [AZM 在线 ARM 汇编器 - Azeria Labs](https://azeria-labs.com/azm/) - [在线反汇编器](https://onlinedisassembler.com/odaweb/) - [编译器探索](https://godbolt.org/) ### ARM 漏洞利用 - [Azeria Labs ARM 教程](https://azeria-labs.com/) - [IoT ARM 漏洞利用](https://www.exploit-db.com/docs/english/43906-arm-exploitation-for-iot.pdf) - [该死的易受攻击 ARM 路由器 (DVAR)](https://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html) - [漏洞利用教育](https://exploit.education/) - [Linux 上的 ARM64 / AArch64 汇编指南](https://modexp.wordpress.com/2018/10/30/arm64-assembly/?ref=0xor0ne.xyz) - [ARMv8 AArch64/ARM64 完整初学者汇编教程](https://mariokartwii.com/armv8/) - [ARM 漏洞利用菜鸟指南](https://ad2001.gitbook.io/a-noobs-guide-to-arm-exploitation/) - [ARM64 逆向与漏洞利用系列 (8ksec) - 第 1-10 部分](https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/) - [AArch64 内存与分页](https://krinkinmu.github.io/2024/01/14/aarch64-virtual-memory.html) - [我们不再 ARMed：这里没有 ROP](https://zeyadazima.com/exploit%20development/pointer_pac/) ### 二进制分析 - [实用二进制分析](https://nostarch.com/binaryanalysis) ### 安全启动 #### 开发 - [编写引导加载程序](http://3zanders.co.uk/2017/10/13/writing-a-bootloader/) #### 绕过 - [攻破 ESP32 安全启动](https://limitedresults.com/2019/09/pwn-the-esp32-secure-boot/) - [永远攻破 ESP32：闪存加密和安全启动密钥提取](https://limitedresults.com/2019/11/pwn-the-esp32-forever-flash-encryption-and-sec-boot-keys-extraction/) - [ESP32 安全启动绕过 (CVE-2020-13629)](https://raelize.com/blog/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/) - [Amlogic S905 SoC：绕过安全启动](https://fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html) - [通过符号链接攻击击败安全启动](https://www.anvilsecure.com/blog/defeating-secure-boot-with-symlink-attacks.html) - [PS4 安全启动黑客攻击 - Fail0verflow](https://www.psxhax.com/threads/ps4-aux-hax-5-psvr-secure-boot-hacking-with-keys-by-fail0verflow.12820/) - [Dell BIOS 漏洞 - BIOSDisconnect](https://eclypsium.com/2021/06/24/biosdisconnect/) - [U-Boot USB DFU 漏洞 (CVE-2022-2347)](https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347/) - [攻破 Silicon Labs Gecko 上的安全启动](https://blog.quarkslab.com/breaking-secure-boot-on-the-silicon-labs-gecko-platform.html) ### UEFI 安全 - [使用符号执行检测 UEFI 漏洞](https://binarly.io/posts/Using_Symbolic_Execution_to_Detect_UEFI_Firmware_Vulnerabilities/index.html) - [HP 企业级 UEFI 漏洞](https://www.binarly.io/posts/Binarly_Finds_Six_High_Severity_Firmware_Vulnerabilities_in_HP_Enterprise_Devices/index.html) - [仿真和利用 UEFI 固件](https://margin.re/2023/09/emulating-and-exploiting-uefi-firmware/) - [UEFI 的黑暗面：跨芯片漏洞利用技术深潜](https://www.binarly.io/blog/the-dark-side-of-uefi-a-technical-deep-dive-into-cross-silicon-exploitation) - [LogoFail PoC 内部：从整数溢出到任意代码执行](https://www.binarly.io/blog/inside-the-logofail-poc-from-integer-overflow-to-arbitrary-code-execution) - [PixieFail：Tianocore EDK II IPv6 网络协议栈中的九个漏洞](https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html) - [为了科学！- 使用 EDK II 中一个不起眼的漏洞](https://blog.quarkslab.com/for-science-using-an-unimpressive-bug-in-edk-ii-to-do-some-fun-exploitation.html) - [Hydroph0bia：Insyde H2O 的 SecureBoot 绕过](https://coderush.me/hydroph0bia-part1/) ### 符号链接攻击 - [Zip Slip 漏洞](https://security.snyk.io/research/zip-slip-vulnerability) ### 路由器固件分析 - [IoT 之旅：发现组件和端口](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-1-discover-components-and-ports/) - [IoT 之旅：固件转储与分析](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-2-firmware-dump-and-analysis/) - [IoT 之旅：无线电通信](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-3-radio-communications/) - [IoT 之旅：内部通信](https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-4-internal-communications/) - [IoT 设备中固件组件的动态分析](https://ics-cert.kaspersky.com/publications/reports/2022/07/06/dynamic-analysis-of-firmware-components-in-iot-devices/) - [RV130X 固件分析](https://raffo24.github.io/hardware%20hacking/FirmwareAnalysis/) - [TP-Link 固件解密 C210 V2 云摄像头引导加载程序](https://watchfulip.github.io/28-12-24/tp-link_c210_v2.html) ### 路由器漏洞利用 - [寻找 Asus 路由器中未经验证的 n-day 漏洞](https://www.shielder.com/blog/2024/01/hunting-for-~~un~~authenticated-n-days-in-asus-routers/) - [将 MikroTik 拉入聚光灯下](https://margin.re/2022/06/pulling-mikrotik-into-the-limelight/) - [利用 CVE-2023-30799 攻击 MikroTik RouterOS 硬件](https://vulncheck.com/blog/mikrotik-foisted-revisited) - [Root 小米 WiFi 路由器](https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/) - [通往安全之路：导航路由器陷阱](https://starlabs.sg/blog/2024/route-to-safety-navigating-router-pitfalls/) - [ROPing 我们的方式实现 RCE](https://modzero.com/en/blog/roping-our-way-to-rce/) - [从零开始 ROPing 路由器：Tenda Ac8v4](https://0reg.dev/blog/tenda-ac8-rop) - [PwnAgent：Netgear RAX 路由器中的一键 WAN 侧 RCE](https://mahaloz.re/2023/02/25/pwnagent-netgear.html) - [Puckungfu 2：又一个 NETGEAR WAN 命令注入](https://research.nccgroup.com/2024/02/09/puckungfu-2-another-netgear-wan-command-injection/) - [逆向、发现并利用 TP-Link 路由器漏洞 — CVE-2024–54887](https://infosecwriteups.com/reversing-discovering-and-exploiting-a-tp-link-router-vulnerability-cve-2024-54887-341552c4b104) - [利用 TP-Link AX10 路由器中的零日 (CVE-2025–9961) 漏洞](https://blog.byteray.co.uk/exploiting-zero-day-cve-2025-9961-in-the-tp-link-ax10-router-8745f9af9c46) - [FiberGateway GR241AG - 完整漏洞利用链](https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/) - [使用 TL-WR902AC 路由器进行 IoT 设备黑盒 Fuzzing](https://tsmr.eu/blackbox-fuzzing.html) - [Root TP-Link Tapo C200 Rev.5](https://quentinkaiser.be/security/2025/07/25/rooting-tapo-c200/) #### Netgear 系列 - [Netgear Orbi：简介、UART 访问、侦察](http://blog.coffinsec.com/research/2022/06/12/orbi-hunting-0-intro-uart.html) - [Netgear Orbi：SOAP-API 崩溃](http://blog.coffinsec.com/research/2022/06/19/orbi-hunting-1-soap-api-crashes.html) - [Netgear Orbi：NDay 漏洞利用 CVE-2020-27861](http://blog.coffinsec.com/research/2022/07/02/orbi-nday-exploit-cve-2020-27861.html) - [我们的 Netgear RAX30 漏洞的最后一口气](https://starlabs.sg/blog/2022/12-the-last-breath-of-our-netgear-rax30-bugs-a-tragic-tale-before-pwn2own-toronto-2022/) #### TP-Link 系列 - [TP-Link TDDP 缓冲区溢出漏洞](https://boschko.ca/tp-link-tddp-bof/) - [Pwn2Own Tokyo 2020：击败 TP-Link AC1750](https://www.synacktiv.com/en/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html) - [TP-Link Tapo c200 摄像头未验证 RCE (CVE-2021-4045)](https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce) #### Cisco 系列 - [补丁差异分析 Cisco RV110W 固件更新 - 第 1 部分](https://quentinkaiser.be/exploitdev/2020/09/23/ghetto-patch-diffing-cisco/) - [CVE-2024-20356：越狱 Cisco 设备运行 DOOM](https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/) - [Flashback Connects - Cisco RV340 SSL VPN RCE](https://www.flashback.sh/blog/flashback-connects-cisco-rv340-ssl-vpn-rce) ### 安全启动绕过 - [使用故障注入绕过安全启动](https://raelize.com/upload/research/2016/2016_BlackHat-EU_Bypassing-Secure-Boot-Using-Fault-Injection_NT-AS.pdf) - [攻破 Google Nest Hub (第 2 代) 上的安全启动](https://fredericb.info/2022/06/breaking-secure-boot-on-google-nest-hub-2nd-gen-to-run-ubuntu.html) - [引导进入漏洞：搜寻 Windows SecureBoot 的远程攻击面](https://i.blackhat.com/BH-USA-25/Presentations/US-25-Yang-Booting-into-breaches-Wednesday.pdf) ## 网络与 Web 协议 ### MQTT - [MQTT 简介](https://www.hivemq.com/blog/mqtt-essentials-part-1-introducing-mqtt) - [MQTT Broker 安全 101](https://payatu.com/blog/mqtt-broker-security/) - [使用 MQTT 黑客攻击 IoT](https://morphuslabs.com/hacking-the-iot-with-mqtt-8edaf0d07b9b) - [IoT 安全：MQTT 协议中的 RCE](https://systemweakness.com/iot-security-rce-in-mqtt-protocol-929e533f12b4) - [IoXY - MQTT 拦截代理](https://blog.nviso.eu/2020/07/06/introducing-ioxy-an-open-source-mqtt-intercepting-proxy/) - [MQTT-PWN](https://mqtt-pwn.readthedocs.io/en/latest/) #### 基础 - [理解 MQTT 协议数据包结构](http://www.steves-internet-guide.com/mqtt-protocol-messages-overview/) #### 安全与漏洞利用 - [智能家居容易受到黑客攻击吗？](https://blog.avast.com/mqtt-vulnerabilities-hacking-smart-homes) - [渗透测试 Sesame 智能门锁](https://www.diva-portal.org/smash/get/diva2:1750933/FULLTEXT01.pdf) - [Servisnet Tessa - MQTT 凭证转储 (Metasploit)](https://www.exploit-db.com/exploits/50713) - [Eclipse Mosquitto 未引用服务路径](https://www.exploit-db.com/exploits/49673) #### 已知 CVE - [CVE-2020-13849](https://nvd.nist.gov/vuln/detail/CVE-2020-13849) - DoS 漏洞 (CVSS 7.5) - [CVE-2023-3028](https://nvd.nist.gov/vuln/detail/CVE-2023-3028) - 认证不足 (CVSS 9.8) - [CVE-2021-0229](https://nvd.nist.gov/vuln/detail/CVE-2021-0229) - 资源消耗 (CVSS 5.3) - [CVE-2019-5432](https://nvd.nist.gov/vuln/detail/CVE-2019-5432) - 畸形数据包崩溃 (CVSS 7.5) #### 工具 - [Mosquitto - 开源 MQTT Broker](https://mosquitto.org/) - [HiveMQ](https://www.hivemq.com/) - [MQTT Explorer](http://mqtt-explorer.com/) - [Nmap MQTT 库](https://nmap.org/nsedoc/lib/mqtt.html) - [七款最佳 MQTT 客户端工具](https://www.hivemq.com/blog/seven-best-mqtt-client-tools) #### 应用 - [使用 IoT MQTT 进行 V2V 和互联汽车](https://mobilebit.wordpress.com/tag/mqtt/) - [MQTT 硬件开发项目](https://www.hackster.io/search?i=projects&q=Mqtt) - [使用 Kubernetes、Kafka、MQTT、TensorFlow 连接 10 万辆汽车](https://dzone.com/articles/iot-live-demo-100000-connected-cars-with-kubernete) - [使用 MQTT 与 Auth0 进行设备认证](https://auth0.com/docs/integrations/authenticate-devices-using-mqtt) - [用于 MQTT IoT 异常检测的深度学习 UDF](https://github.com/kaiwaehner/ksql-udf-deep-learning-mqtt-iot) - [MQTT 指南：黑客攻击门铃](https://youtu.be/J_BAXVSVPVI) #### 恶意软件研究 - [WailingCrab 恶意软件使用 MQTT 进行 C2](https://securityonline.info/wailingcrab-malware-evolves-embracing-mqtt-for-stealthier-c2-communication) - [警报：新 WailingCrab 恶意软件加载器](https://thehackernews.com/2023/11/alert-new-wailingcrab-malware-loader.html) - [Snapcraft 上的 MQTT](https://snapcraft.io/search?q=mqtt) ### CoAP - [IETF 安全协议比较](https://datatracker.ietf.org/doc/draft-ietf-iotops-security-protocol-comparison/03/) - [RFC 8613 - OSCORE](https://datatracker.ietf.org/doc/html/rfc8613) - [Radware - CoAP 协议概述](https://www.radware.com/security/ddos-knowledge-center/ddospedia/coap/) #### 规范与安全 - [EMQX 关于 CoAP 和 IoT 安全 (2024)](https://www.emqx.com/en/blog/iot-protocols-mqtt-coap-lwm2m) - [RFC 8323 - CoAP over TCP](https://datatracker.ietf.org/doc/html/rfc8323) - [RFC 8824 - SCHC 头压缩](https://datatracker.ietf.org/doc/html/rfc8824) #### 工具 - 软件 - [CoAP NSE (Nmap)](https://nmap.org/nsedoc/lib/coap.html) - [Copper - Firefox CoAP 插件](https://github.com/mkovatsc/Copper) - [libcoap CLI 工具](https://github.com/obgm/libcoap) - [Scapy CoAP 插件](https://github.com/secdev/scapy) - [Eclipse Californium (Java)](https://www.eclipse.org/californium/) - [Peach Fuzzer](https://www.peach.tech/) #### 工具 - 硬件 - [Raspberry Pi / Arduino + 6LoWPAN](https://docs.arduino.cc/tutorials/nano-33-iot/contiki-ng-coap-example) - [Zolertia](https://zolertia.io/) - [OpenMote](http://www.openmote.com/) - [Nordic 板](https://www.nordicsemi.com/) #### 研究与教程 - [SpectralOps - 十大 IoT 协议安全问题](https://spectralops.io/blog/top-5-most-commonly-used-iot-protocols-and-their-security-issues/) - [IoT 渗透测试实验室搭建指南 (2025)](https://www.webasha.com/blog/how-to-set-up-a-penetration-testing-lab-in-2025-complete-guide-with-tools-os-network-topology-and-real-world-practice-scenarios) - [CoAP 暴露研究 (2024)](https://raid2024.github.io/papers/raid2024-9.pdf) ### mTLS #### ️ 工具 | 工具 | 用途 | 链接 | |---|---|---| | mtls-intercept | 动态签名客户端证书以 MITM 完整 mTLS 会话的反向代理 | [github.com/fungaren/mtls-intercept](https://github.com/fungaren/mtls-intercept) | | mitmproxy | 使用提取的 IoT 设备证书配置 client_certs，在 mTLS 手中冒充设备 | [mitmproxy.org](https://mitmproxy.org) | | SSLsplit | 透明 mTLS 代理 - 转发提取的设备证书以完成与云端的相互握手 | [github.com/droe/sslsplit](https://github.com/droe/sslsplit) | | eCapture (eBPF) | 在 Linux IoT 网关上 Hook OpenSSL/BoringSSL 预加密 - 解密 mTLS + TLS 1.3 + PFS | [ecapture.cc](https://ecapture.cc) | | Wireshark + SSLKEYLOGFILE | 使用 NSS 预主密钥日志解密从 IoT 网关捕获的 mTLS 会话 | [wiki.wireshark.org/TLS](https://wiki.wireshark.org/TLS) | | Frida | 在 Android IoT 配套应用中运行时 Hook SSLContext, TrustManager, KeyManager | [frida.re](https://frida.re) | | Objection | android sslpinning disable - 在配套应用中剥离 mTLS pinning | [github.com/sensepost/objection](https://github.com/sensepost/objection) | | apk-mitm | 静态修补 IoT 配套 APK 以禁用 mTLS 证书 pinning | [github.com/shroudedcode/apk-mitm](https://github.com/shroudedcode/apk-mitm) | | MagiskTrustUserCerts | 在已 root 的 Android POS/自助终端上将自定义 CA 移动到系统存储，以完成 mTLS MITM | [github.com/NVISOsecurity/MagiskTrustUserCerts](https://github.com/NVISOsecurity/MagiskTrustUserCerts) | | frida-multiple-unpinning | 通用 Frida 脚本，针对加固 IoT 应用中的 20 多种 mTLS/pinning 模式 | [github.com/httptoolkit/frida-android-unpinning](https://github.com/httptoolkit/frida-android-unpinning) | | NEU-SNS/IoTLS | IMC'21 研究仓库 - SSLKEYLOGFILE 文件用于解密跨 32 台设备的 MITM mTLS 连接 | [github.com/NEU-SNS/IoTLS](https://github.com/NEU-SNS/IoTLS) | | mitmrouter | 基于 Linux 的 IoT 流量拦截路由器 - 在网络层拦截设备 TLS | [github.com/nmatt0/mitmrouter](https://github.com/nmatt0/mitmrouter) | #### 博客与文章 - [mTLS：当证书认证出错时](https://github.blog/security/vulnerability-research/mtls-when-certificate-authentication-is-done-wrong/) - [IoT 中的 mTLS 认证：增强互联设备的安全性](https://www.regamiota.com/post/mtls-authentication-in-iot-enhancing-security-for-connected-devices) - [IoT MitM 实践第 1 部分 – AWS IoT MQTT + mTLS 拦截](https://samrambles.com/projects/hunter-hacking/hands-on-iot-mitm-part-1/) - [OWASP MASTG-TECH-0012：绕过 Android IoT 配套应用中的证书 Pinning](https://mas.owasp.org/MASTG/techniques/android/MASTG-TECH-0012/) - [从理论到实践：mTLS 实战第 1 部分](https://klika-tech.com/blog/2025/08/28/theory-to-practice-mtls-in-action-part-1) - [IoT 渗透测试的固件分析](https://blog.attify.com/firmware-analysis-iot-penetration-testing/) - [在 Mosquitto MQTT Broker 上配置 mTLS](https://mosquitto.org/man/mosquitto-tls-7.html) - [AWS IoT 文档：X.509 客户端证书和队列配置](https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html) - [Azure IoT Hub：mTLS X.509 CA 认证概念](https://learn.microsoft.com/en-us/azure/iot-hub/iot-hub-x509ca-concept) #### 研究论文 - [IoT 系统中 TLS 和 mTLS 的评估 - MIUN DiVA, 2024](https://miun.diva-portal.org/smash/get/diva2:1937634/FULLTEXT01.pdf) - [Atlas：为 IoT 启用跨供应商 mTLS 认证 - arXiv 2025](https://arxiv.org/html/2602.09263v1) - [IoT 生态系统中的 TLS - IEEE IMC 2021, NEU-SNS](https://github.com/NEU-SNS/IoTLS) - [工业物联网的轻量级 mTLS 认证 - PMC/NIH 2023](https://pmc.ncbi.nlm.nih.gov/articles/PMC10222187/) - [用于 IoT 战场网络的量子增强 mTLS - IJPSAT](https://ijpsat.org/index.php/ijpsat/article/download/6969/4447) - [AI 与 IoT 安全：针对 TLS 攻击的指纹识别与防御 - IEEE Xplore 2025](https://ieeexplore.ieee.org/document/11168239/) #### YouTube - [使用 ARP 欺骗 + mitmproxy TLS 拦截拦截 IoT 设备流量](https://www.youtube.com/watch?v=f7XFcZ2_9ww) - [使用 Linux 和 mitmrouter 拦截 IoT 设备流量](https://www.youtube.com/watch?v=k134j9E5oZE) - [双向 TLS - 后端工程秀深度剖析](https://www.youtube.com/watch?v=KwpV-ICpkc4) - [拦截 SSL/TLS - Fiddler 和 MITMProxy 解密演练](https://www.youtube.com/watch?v=gJiVbhyBixM) - [解密 Kubernetes mTLS 流量 - eCapture、自定义 CA、eBPF 方法](https://www.youtube.com/watch?v=4gNuZFkpz8U) - [掌握 mTLS：阻止 MITM 攻击并增强 API/IoT 安全](https://www.youtube.com/watch?v=F-H5ftwKarc) - [IoT 渗透测试简介网络研讨会 - CyberWarFare Labs](https://www.youtube.com/watch?v=qMdg-Rj53jA) ### IoT 协议概览 - [IoT 协议概览](https://www.postscapes.com/internet-of-things-protocols/) - [IoT 攻击面 - OWASP](https://www.owasp.org/index.php/IoT_Attack_Surface_Areas) - [IoT 架构](https://www.c-sharpcorner.com/UploadFile/f88748/internet-of-things-part-2/) - [从 Web 视角攻击 IoT 设备](https://lug.uniroma2.it/eventi/linux-day-23/files/Linux%20Day%20-%20Attacking%20IoT%20Devices.pdf) - [Awesome Industrial Protocols](https://github.com/Orange-Cyberdefense/awesome-industrial-protocols) ## 云与后端安全 ### AWS IoT 安全 - [AWS 渗透测试政策](https://aws.amazon.com/security/penetration-testing/) - [AWS 渗透测试指南 - HackerOne](https://www.hackerone.com/knowledge-center/penetration-testing-aws-practical-guide) - [关于 AWS Nitro Enclaves 的几点说明](https://blog.trailofbits.com/2024/02/16/a-few-notes-on-aws-nitro-enclaves-images-and-attestation/) - [Pacu - AWS 漏洞利用框架](https://github.com/RhinoSecurityLabs/pacu) - [ScoutSuite - 多云安全审计](https://github.com/nccgroup/ScoutSuite) - [Prowler - 云安全评估](https://github.com/prowler-cloud/prowler) #### 基础 - [综合 AWS 渗透测试指南 - BreachLock](https://www.breachlock.com/resources/blog/comprehensive-aws-pentesting-guide/) - [AWS 渗透测试方法论 - MorattiSec](https://medium.com/@MorattiSec/my-aws-pentest-methodology-14c333b7fb58) - [AWS 渗透测试方法论 - Rootshell](https://www.rootshellsecurity.net/aws-penetration-testing-methodology-and-guidelines/) - [2025 年 AWS 渗透测试技术](https://deepstrike.io/blog/aws-penetration-testing-guide-techniques-and-methodology) #### 工具 - [CloudFox - 云攻击路径](https://github.com/BishopFox/cloudfox) - [S3Scanner - 泄露 Bucket 发现](https://github.com/sa7mon/S3Scanner) - [Cloudfoxable 实验室](https://github.com/BishopFox/cloudfoxable) - [AWS 安全渗透测试资源](https://github.com/redskycyber/Cloud-Security/blob/main/AWS-Security-Pentesting-Resources.md) #### 漏洞 - [2026 年 7 款最佳 AWS 渗透测试工具](https://www.getastra.com/blog/cloud/aws/aws-pentesting-tools/) - [PayloadsAllTheThings - AWS 渗透测试](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest.md) ### Firebase / 云配置错误 - [Firebase 安全规则测试](https://firebase.google.com/docs/rules/unit-tests) - [配置错误的 Firebase 数据库](https://www.comparitech.com/blog/information-security/firebase-misconfiguration-vulnerability/) ## 移动应用安全 ### Android - [Android 应用逆向工程 101](https://maddiestone.github.io/AndroidAppRE/) - [Android 应用渗透测试书](https://www.packtpub.com/hardware-and-creative/learning-pentesting-android-devices) - [Android 渗透测试视频课程 - TutorialsPoint](https://www.youtube.com/watch?v=zHknRia3I6s&list=PLWPirh4EWFpESLreb04c4eZoCvJQJrC6H) - [Android Tamer](https://androidtamer.com/) - [Android 黑客手册](https://www.amazon.in/Android-Hackers-Handbook-MISL-WILEY-Joshua/dp/812654922X) - [初探 Android 14 取证](https://blog.digital-forensics.it/2024/01/a-first-look-at-android-14-forensics.html?m=1) - [使用 Ghidra 反混淆 Android ARM64 字符串](https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-ghidra-emulating-patching-and-automating/) - [Android 原生组件 Fuzzing 简介](https://blog.convisoappsec.com/en/introduction-to-fuzzing-android-native-components/) - [黑客攻击 Android 游戏](https://8ksec.io/hacking-android-games/) - [在 Flutter 中拦截 HTTPS 通信](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/) #### Android 内核漏洞利用 - [Android 内核漏洞利用](https://cloudfuzz.github.io/android-kernel-exploitation/) - [攻击 Android Binder：CVE-2023-20938 的分析与利用](https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/) - [使用 Qualcomm TrustZone 攻击 Android 内核](https://tamirzb.com/attacking-android-kernel-using-qualcomm-trustzone) - [在 Android 驱动程序中向前推进](https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html) - [分析现代野外 Android 漏洞利用](https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html) - [利用 Android 加固内存分配器](https://www.usenix.org/system/files/woot24-mao.pdf) - [GPUAF - Root 所有基于 Qualcomm 的 Android 手机的两种方法](https://powerofcommunity.net/poc2024/Pan%20Zhenpeng%20&%20Jheng%20Bing%20Jhong,%20GPUAF%20-%20Two%20ways%20of%20rooting%20All%20Qualcomm%20based%20Android%20phones.pdf) - [Qualcomm DSP 驱动程序 - 意外挖掘出的漏洞利用](https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html) - [Qualcomm DSP 内核内部机制](https://streypaws.github.io/posts/DSP-Kernel-Internals/) - [Binder Fuzzing](https://androidoffsec.withgoogle.com/posts/binder-fuzzing/) #### Android Scudo 分配器 - [Android：Scudo](https://technologeeks.com/blog/Scudo/) - [盾牌背后：揭开 Scudo 的防御面纱](https://www.synacktiv.com/en/publications/behind-the-shield-unmasking-scudos-defenses) - [scudo 加固分配器 — 非官方内部文档](https://www.l3harris.com/newsroom/editorial/2023/10/scudo-hardened-allocator-unofficial-internals-documentation) ### iOS - [iOS 渗透测试指南](https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf) - [OWASP 移动安全测试指南](https://owasp.org/www-project-mobile-security-testing-guide/) - [一名 iOS 黑客尝试 Android](https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html) - [分析 IOS 内核恐慌日志](https://8ksec.io/analyzing-kernel-panic-ios/) - [突破 iOS 18](https://blog.dfsec.com/ios/2025/05/30/blasting-past-ios-18/) - [在 QEMU 中仿真 iPhone](https://eshard.com/posts/emulating-ios-14-with-qemu) - [Apple USB 限制模式绕过首次分析 (CVE-2025-24200)](https://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypass-cve-2025-24200.html) - [探索 UNIX 管道以获取 iOS 内核漏洞利用原语](https://www.corellium.com/blog/exploring-unix-pipes-for-ios-kernel-exploit-primitives) ## 工业与汽车 ### ICS/SCADA - [ICS Village](https://www.icsvillage.com/) - [ICS Discord 群组](https://discord.com/invite/CmDDsFK) - [Controlthings.io 平台](https://www.controlthings.io/platform) - [应用网络安全与智能电网](https://www.amazon.com/Applied-Cyber-Security-Smart-Grid/dp/1597499986/) - [OT 网络中的深度横向移动](https://www.forescout.com/resources/l1-lateral-movement-reportg) - [黑客攻击 ICS 历史记录仪：从 IT 到 OT 的支点](https://claroty.com/team82/research/hacking-ics-historians-the-pivot-point-from-it-to-ot) - [OPC UA 深潜系列 - 第 1-5 部分](https://claroty.com/team82/research/opc-ua-deep-dive-history-of-the-opc-ua-protocol) - [一种新型 OT/IoT 网络武器内部：IOCONTROL](https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol) - [注意，高压：探索罗克韦尔自动化 PowerMonitor 1000 的攻击面](https://claroty.com/team82/research/attention-high-voltage-exploring-the-attack-surface-of-the-rockwell-automation-powermonitor-1000) ### 汽车安全 - [Awesome Vehicle Security](https://github.com/jaredthecoder/awesome-vehicle-security) - [Car Hacking Village](https://www.carhackingvillage.com/) - [Jeep 黑客攻击](http://illmatics.com/Remote%20Car%20Hacking.pdf) - [斯巴鲁主机越狱](https://github.com/sgayou/subaru-starlink-research/blob/master/doc/README.md) - [汽车黑客实用指南 101](https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-i-cd88d3eb4a53) - [CAN 注入：无钥匙汽车盗窃](https://kentindell.github.io/2023/04/03/can-injection/) - [我如何黑掉我的车系列 - 第 1-6 部分](https://programmingwithstyle.com/posts/howihackedmycar/) - [我也如何黑掉我的车](https://goncalomb.com/blog/2024/01/30/f57cf19b-how-i-also-hacked-my-car) - [从 2021 款丰田 RAV4 Prime 提取安全车载通信 (SecOC) 密钥](https://icanhack.nl/blog/secoc-key-extraction/) - [使用反汇编器和分支恢复 ECU 固件](https://blog.quarkslab.com/recovering-an-ecu-firmware-using-disassembler-and-branches.html) - [汽车内存保护单元：揭示隐藏的漏洞](https://plaxidityx.com/blog/blog-post/is-your-memory-protecteduncovering-hidden-vulnerabilities-in-automotive-mpu-mechanisms/) ### EV 充电器 - [深入解析 Pwn2own Automotive EV 充电器硬件](https://www.zerodayinitiative.com/blog/2023/11/28/a-detailed-look-at-pwn2own-automotive-ev-charger-hardware) - [Pwn2Own Automotive 2024：黑客攻击 ChargePoint Home Flex](https://sector7.computest.nl/post/2024-08-pwn2own-automotive-chargepoint-home-flex/) - [逆向工程 EV 充电器](https://www.mnemonic.io/no/resources/blog/reverse-engineering-an-ev-charger/) ## 支付系统 ### ATM 黑客攻击 - [ATM 渗透测试简介](https://www.youtube.com/watch?v=Ff-0zXTYhuA) - [为了乐趣和利润攻破 ATM](https://www.youtube.com/watch?v=9cG-JL0LHYw) - [ATM Jackpotting 重现 - Barnaby Jack](https://www.youtube.com/watch?v=4StcW9OPpPc) - [信用卡终端上的 Root Shell](https://stefan-gloor.ch/yomani-hack) ### 支付 Village - [支付 Village](https://www.paymentvillage.org/home) ## 工具 ### 硬件工具 - [Bus Pirate](https://www.sparkfun.com/products/12942) - [Bus Pirate 5：硬件黑客的瑞士军刀](https://eclypsium.com/blog/bus-pirate-5-the-swiss-arrrmy-knife-of-hardware-hacking/) - [The Shikra](https://int3.cc/products/the-shikra) - [Attify Badge](https://www.attify-store.com/products/attify-badge-assess-security-of-iot-devices) - [Flipper Zero](https://flipperzero.one/) - [HackRF](https://greatscottgadgets.com/hackrf/) - [RTL-SDR](https://www.rtl-sdr.com/) - [深入解析 ICE-V 无线 FPGA 开发板](https://tomverbeure.github.io/2022/12/27/The-ICE-V-Wireless-FPGA-Board.html) #### 多功能 - [逻辑分析仪 - Saleae](https://www.saleae.com/) - [JTAGulator](https://www.adafruit.com/product/1550) - [EEPROM 读取器/SOIC 线缆](https://www.sparkfun.com/products/13153) #### 调试适配器 - [ST-Link](https://www.st.com/en/development-tools/st-link-v2.html) - [Segger J-Link](https://www.segger.com/products/debug-probes/j-link/) - [FTDI 适配器](_URL_769/>) - [Black Magic Probe](https://black-magic.org/) #### RF/SDR #### USB - [FaceDancer21](https://int3.cc/products/facedancer21) - [RfCat](https://int3.cc/products/rfcat) - [NullSec Ducky Payloads](https://github.com/bad-antics/nullsec-ducky-payloads) - 适用于 Windows、macOS 和 Linux 的 Rubber Ducky BadUSB payload，用于 WiFi 凭证提取、反向 shell 和自动侦察。 #### Flipper Zero - [NullSec Flipper Suite](https://github.com/bad-antics/nullsec-flipper-suite) - 全面的 Flipper Zero payload 集合，用于 RF 分析、RFID/NFC 克隆、BadUSB 攻击、红外和无线渗透测试。 - [PineFlip](https://github.com/bad-antics/pineflip) - 专业的 Flipper Zero Linux 配套应用，带有 GTK4/libadwaita UI、屏幕镜像、文件管理器和固件管理。 #### Hak5 - [Hak5 现场套件](https://hakshop.com/) - [NullSec Pineapple Suite](https://github.com/bad-antics/nullsec-pineapple-suite) - 60 多个 WiFi Pineapple payload，用于无线渗透测试，包括去认证、邪恶双子、握手捕获、PMKID 提取和网络侦察。 #### 漏洞利用框架 - [BlueSploit](https://github.com/V33RU/bluesploit) - [IoTSecFuzz](https://gitlab.com/invuls/iot-projects/iotsecfuzz) - [PENIOT](https://github.com/yakuza8/peniot) - [ISF - 工业安全框架](https://github.com/w3h/isf) - [HAL - 硬件分析器](https://github.com/emsec/hal) - [PRET - 打印机漏洞利用工具包](https://github.com/RUB-NDS/PRET) - [Expliot Framework](https://gitlab.com/expliot_framework/expliot) - [RouterSploit](https://github.com/threat9/routersploit) - [HomePwn](https://github.com/ElevenPaths/HomePWN) - [固件分析工具包 (FAT)](https://github.com/attify/firmware-analysis-toolkit) - [Shambles：下一代 IoT 逆向工程工具](https://boschko.ca/shambles/) #### 固件分析 - [Samsung 固件魔术](https://github.com/chrivers/samsung-firmware-magic) ### Fuzzing 工具 - [Fuzzing 的艺术：简介](https://bushido-sec.com/index.php/2023/06/19/the-art-of-fuzzing/) - [LibAFL 入门研讨会](https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop) - [使用 AFL++ 进行 Blitz 教程 Fuzzing 实验](https://research.checkpoint.com/2023/the-blitz-tutorial-lab-on-fuzzing-with-afl/) - [Linux 快照 Fuzzing 现状](https://fuzzinglabs.com/state-of-linux-snapshot-fuzzing/) - [流行条码软件中行与行之间的 Fuzzing](https://blog.trailofbits.com/2024/10/31/fuzzing-between-the-lines-in-popular-barcode-software/) - [Boofuzz](https://github.com/jtpereyda/boofuzz) - [Syzkaller - 内核 Fuzzer](https://github.com/google/syzkaller) - [parking-game-fuzzer](https://github.com/addisoncrump/parking-game-fuzzer) #### 基础 - [OWASP Fuzzing 信息](https://owasp.org/www-community/Fuzzing) - [应用程序可靠性的模糊测试](https://pages.cs.wisc.edu/~bart/fuzz/) - [FuzzingPaper 合集](https://github.com/wcventure/FuzzingPaper/tree/master/Paper) - [Google Fuzzing 论坛](https://github.com/google/fuzzing) #### IoT 专用 Fuzzing - [Fuzzing ICS 协议](https://1modm.github.io/Fuzzing_ICS_protocols.html) - [Fuzzowski - 网络协议 Fuzzer](https://hakin9.org/fuzzowski-the-network-protocol-fuzzer-that-we-will-want-to-use/) - [FIRM-AFL：高通量 IoT 固件 Fuzzing](https://www.usenix.org/conference/usenixsecurity19/presentation/zheng) - [Snipuzz：IoT 固件黑

标签：AD攻击面, CAN总线, ECU安全, ICS安全, IoT安全, JTAG, OT安全, PKINIT, RuleLab, SCADA安全, SWD, UART, 云资产清单, 侧信道攻击, 关键基础设施, 医疗设备安全, 协议分析, 固件安全, 固件提取, 安全工具集, 嵌入式安全, 工控安全, 攻击向量, 故障注入, 无线电安全, 智能家居安全, 权限提升, 汽车安全, 物联网安全, 物联网漏洞, 硬件安全, 网络安全资源, 逆向工程