IoT Firmware Analysis!!!



A simple tutorial you can follow if you are new to the IoT world and firmware analysis.
There are various videos as well you can refer to, just what to accept from all of them is the logic behind what is needed and what to look for.


Step 1 - We begin by downloading the firmware from below link which belongs to a simple D-Link router, this can also be downloaded from vendors official website:

 https://github.com/praetorian-inc/DVRF/blob/master/Firmware/DVRF_v03.bin 

Step 2 - We can use any tool which is capable of  ".bin" extraction.We will be using the "Binwalk" tool with  below command for analyzing the file system type.

 For a complete list of file systems, please refer to this link: http://elinux.org/File_Systems.


  • binwalk file.bin



Step 3 - What we identify from simple binwalk is the file system and the address from where the file systems start which in our case is "1648424"The next step now would be to extract the file system using below commands.
  • binwalk -e file.bin
If above method doesn't work try below one:
  • binwalk -eM file.bin
Note:There are chance whereby binwalk gives false positives where you can other tools like "unsuashfs -l filename.bin" or you can also use https://firmalyzer.com/ where you need to upload the firmware and it gives comprehensive inspection along with available binary files.


Step 4 - After binwalk we see a "squashfs-root" folder inside "_DVRF_v03.bin.extracted" which has the complete file system and you can go ahead do a search for any sensitive areas such as password for various services eg:Telnet.



Step 5 - Now to we look for "passwd" where we can look for files and folder we may have a chance of finding passwords for another services as well:;



Thanks and regards,
#Kapil_Kulkarni
#Akash_Chavan



References:
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
http://resources.infosecinstitute.com/reversing-firmware-part-1/#gref
https://github.com/praetorian-inc
http://blog.attify.com/2016/07/08/firmware-analysis-iot-devices/
https://firmalyzer.com/analyze/

Comments

Post a Comment

Popular posts from this blog

Threat Hunting | Malspam Analysis | Malware Traffic Analysis - MalwareTrafficAnalysis.net Basic

Image
+++++++Please note that we have not attempted to copy anyone nor have we published any copyrighted material however We have tried to compile all the best resources freely available to include it in our investigation+++++++++ Before we proceed with the threat hunting we will see a couple of techniques which will help us in making our job easier while working with Wireshark. ------------------------------------------------------------------------------------------------------------------------------------- How to add server/host names to columns for the Wireshark? ------------------------------------------------------------------------------------------------------------------------------------- Open Wireshark with any captured packets file(.pcap). Before starting hunt for critical data always make sure the time format is selected as per the incidence reported. This will help you in track the time status of the infection for the pre and post stages. Here w
Read more

Exploiting The New Apache Struts2 Remote Code Execution [CVE 2017-5638]

Image
A Glance at Apache Struts 2:- Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007. About CVE 2017-5638:- Security Researcher have discovered a new Remote Code Execution Vulnerability in Jakarta Multi-part parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 using Object Graph Navigation Language (OGNL) expressions and it is being actively exploited in the wild. About the Exploit:- This vulnerability can be triggered if the attacker sends a modified HTTP request to up
Read more