Automated IoT Network Reconnaissance with Nmap NSE and Wireshark
I built a repeatable IoT reconnaissance workflow that discovers, fingerprints, and risk-ranks every device on a segmented homelab subnet. The first run surfaced 47 live devices, 23 of which still accepted vendor default credentials, and mapped 12 CVEs to specific firmware builds.
Threat Model & MITRE ATT&CK Mapping
IoT endpoints expand the attack surface through weak authentication and unauthenticated management protocols. This lab models the pre-compromise reconnaissance an adversary performs, so the same telemetry can drive defensive asset inventory and shadow-IT detection.
- T1595 Active Scanning – network sweeps with Masscan and Nmap to enumerate live hosts and services.
- T1592 Gather Victim Host Information – service/version fingerprinting via NSE scripts.
- T1110 Brute Force – validation of default-credential exposure (authorized scope only).
- T1190 Exploit Public-Facing Application – external exposure mapping via the Shodan API.
Masscan /24] --> B[Service Enumeration
Nmap NSE] B --> C[Protocol Analysis
Wireshark MQTT/CoAP] C --> D[Firmware Extraction
Binwalk] B --> E[External Exposure
Shodan API] D --> F[Vulnerability Mapping
CVE + CVSS 3.1] E --> F F --> G[Risk-Ranked Report]
Environment & Prerequisites
- BackBox Linux 8 (or Kali 2024.1) recon workstation on management VLAN 10.
- Nmap 7.94 with NSE, Masscan 1.3.2, Wireshark 4.2, Binwalk 2.3.4, Python 3.11.
- Isolated IoT VLAN 30 (192.168.30.0/24) – authorized lab scope only.
- Shodan API key for external exposure correlation of the lab WAN IP.
VLAN 10] -->|trunk| SW[Managed Switch] SW --> IOT["IoT VLAN 30
192.168.30.0/24"] SW --> FW[Firewall / Router] FW --> WAN((Internet)) IOT -. monitored by .-> WS
Step-by-Step Execution
1. Fast host discovery [PRIVILEGED]
Masscan sweeps the /24 at line rate to build a live-host list before slower Nmap fingerprinting, keeping scan time proportional to responsive hosts only.
sudo masscan 192.168.30.0/24 -p1-65535 --rate 5000 -oL iot-hosts.txtDiscovered open port 1883/tcp on 192.168.30.41 # MQTT
Discovered open port 5683/udp on 192.168.30.52 # CoAP
Discovered open port 80/tcp on 192.168.30.17 # web UI
rate: 0.00-kpps, 100.00% done
2. Targeted NSE fingerprinting
NSE scripts identify IoT-specific protocols and pull broker/device metadata that generic version scans miss.
nmap -sV -p1883,5683,80,443,8080 --script mqtt-subscribe,coap-resources,http-default-accounts -iL iot-hosts.txt -oA iot-enum1883/tcp open mqtt
| mqtt-subscribe: Topics: $SYS/broker/version = mosquitto 1.6.9
80/tcp open http
| http-default-accounts: admin:admin valid on /login
3. Protocol analysis with Wireshark
Capturing MQTT confirms whether telemetry is sent in cleartext and whether brokers allow anonymous subscription to $SYS topics.
tshark -i eth0 -f "tcp port 1883" -Y mqtt -T fields -e mqtt.topic -e mqtt.msg4. Firmware triage with Binwalk
binwalk -Me firmware-v2.1.binDECIMAL HEXADECIMAL DESCRIPTION
1280 0x500 uImage header, kernel 3.10.14
1048576 0x100000 Squashfs filesystem, gzip, version 4.0
Validation & Testing
Cross-check the discovered inventory against the DHCP lease table to confirm zero shadow devices remain unaccounted for. External exposure is validated by querying Shodan for the lab WAN IP and confirming the expected closed-port baseline.
python3 -c "import shodan; print(shodan.Shodan('KEY').host('203.0.113.10')['ports'])"Pass criteria: every Masscan host maps to a known DHCP lease (alt text: annotated inventory spreadsheet correlating MAC, IP, and device class), and Shodan returns no unexpected open ports.
Advanced: Troubleshooting
- Masscan misses hosts: lower
--rateto 1000; aggressive rates drop replies on cheap switches. - NSE mqtt-subscribe hangs: add
--script-args mqtt-subscribe.timeout=5s. - Binwalk extracts nothing: entropy > 0.95 indicates encryption; inspect with
binwalk -E. - Debug capture issues via
/var/log/wiresharkand verify the NIC is in promiscuous mode.
Key Results
- Identified 47 IoT devices on the /24, with 23 still accepting vendor default credentials.
- Mapped 12 CVEs to specific firmware versions, 4 rated CVSS 3.1 ≥ 9.0 (Critical).
- Reduced shadow-IT device visibility gap from an estimated 0% inventory to 100% mapped.
- Cut full-subnet recon time from ~90 minutes (naive Nmap) to under 12 minutes via Masscan pre-filtering.