Skip to content

Firmware analysis.md

Latest commit

 

History

History
51 lines (46 loc) · 2.5 KB

Firmware analysis.md

File metadata and controls

51 lines (46 loc) · 2.5 KB

Guides

https://wikileaks.org/ciav7p1/cms/page_16384163.html

Binwalk

Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images (https://github.com/ReFirmLabs/binwalk).
Example:

binwalk -Me myfile.bin > results.txt
binwalk --dd=".*" myfile.bin

Find interesting strings in the created subdirectory

grep -i -r "passwords"
grep -i -r "certificates"
...
  • Open up GHIDRA/radare2/IDA Pro for reversing and further research.
  • Use certificates and keys found to decrypt traffic

Firmadyne

FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware. It can be found here --> https://github.com/firmadyne/firmadyne. Note that the extractor module only works for Linux file systems as explained by one of the developers.
"There's no standard format for firmware images, so automated extraction isn't straightforward. Even manual extraction with binwalk can be quite challenging, especially if the firmware uses a RTOS, a custom filesystem, or anything non-*NIX."

Firmwalker

A simple bash script for searching the extracted or mounted firmware file system (https://github.com/craigz28/firmwalker). It will search through the extracted or mounted firmware file system for things of interest such as:

  1. etc/shadow and etc/passwd
  2. list out the etc/ssl directory
  3. search for SSL related files such as .pem, .crt, etc.
  4. search for configuration files
  5. look for script files
  6. search for other .bin files
  7. look for keywords such as admin, password, remote, etc.
  8. search for common web servers used on IoT devices
  9. search for common binaries such as ssh, tftp, dropbear, etc.
  10. search for URLs, email addresses and IP addresses
  11. Experimental support for making calls to the Shodan API using the Shodan CLI

Crack SquashFS User password

About SquashFS:
SquashFS is a read-only file system that lets you compress whole file systems or single directories, write them to other devices/partitions or to ordinary files, and then mount them directly (if a device) or using a loopback device (if it is a file). The modular, compact system design of SquashFS is bliss. For archiving purposes, SquashFS gives you a lot more flexibility and performance speed than a tarball archive. HowTo crack SquashFS:

  1. binwalk -M -e mybin.bin
  2. unsquashfs mybin.sqfs
  3. cd etc/
  4. cp passwd /root/Documents/
  5. cp shadow /root/Documents/
  6. cd Documents/
  7. unshadow passwd shadow > passwd.txt
  8. john passwd.txt