This is the quick-hit version of the firmware analysis training I gave. As with all of the formal training, you can use the below for a quick reference, or view the full presentation here.
Downloads
You can use any firmware files you’d like, but this training and these exercises were designed around the following two files:
- https://www.stackattack.net/files/fw-dwr-932-2.03.zip (password: beUT9Z)
- https://www.stackattack.net/files/fw-wrt-54g-4.21.5.bin
Extracting ZIP Files
hermit@system:~$ file Firmware.zip
Firmware.zip: Zip archive data, at least v1.0 to extractZIP Files With Offsets
hermit@system:~$ file Firmware.zip
Firmware.zip: data
hermit@system:~$ unzip Firmware.zip
Archive: Firmware.zip
warning [Firmware.zip]: 64 extra bytes at beginning or within zipfile
[CTRL+C]
hermit@system:~$ dd if=Firmware.zip of=NewFirmware.zip bs=64 skip=1
993106+1 records in
993106+1 records out
63558829 bytes (64 MB, 61 MiB) copied, 1.16206 s, 54.7 MB/sExtracting ZIP Files with Passwords
hermit@system:~$ fcrackzip -m 2 -v -b fw-dwr-932-2.03.zip
found file ‘FILENAME.EXT’, (size cp/uc 12/ 0, flags 9, chk 7a64)
{etc}
8 file maximum reached, skipping further lines
possible pw found: beUT9Z ()
[CTRL+C]Extracting Binary Files
hermit@system:~$ binwalk -e -C /path/to/extract/to -M -d 2 -v ./Firmware.binExtracting YAFFS Files
hermit@system:~$ unyaffs Firmware.yaffs2Extracting squashfs Files
hermit@system:~$ unsquashfs Firmware.squashfsThings To Try
Crack the system passwords:
hermit@system:~/FWDemo/yaffs_extract/etc$ john --incremental shadowMD5 all files on the system:
hermit@system:~/FWDemo/yaffs_extract$ find . -type f -exec md5sum '{}’ ;Look for webserver files , common places are:
/var/www
/var/html
/WEBSERVERLook for all executables:
hermit@system:~/FWDemo/yaffs_extract$ find ./etc -type f -executable –printLook for configurations:
hermit@system:~/FWDemo/yaffs_extract$ find ./etc -name *conf* -print
hermit@system:~/FWDemo/yaffs_extract$ find ./etc -name *cfg* -printLook at what starts at boot:
hermit@system:~/FWDemo/yaffs_extract$ ls –la ./etc/rc*Look for mount points:
hermit@system:~/FWDemo/yaffs_extract$ cat ./etc/fstabLook for ISOs:
hermit@system:~/FWDemo/yaffs_extract$ find . -name *.iso* -printMount ISOs:
hermit@system:~/FWDemo/yaffs_extract$ mount -o loop,ro ./iso/path /path/to/mount
hermit@system:~/FWDemo/yaffs_extract$ pushd /path/to/mount
hermit@system:~/FWDemo/yaffs_extract$ popdScavenger Hunt
From least difficult to most difficult
- DD-WRT54G Firmware
Find code being used in production that explicitly says it’s not for production use! - DWR-932B Firmware
Find the root password - DWR-932B Firmware
Find the default DynDNS username and password - DWR-932B Firmware
Find the Setup.exe file - DD-WRT54G Firmware
Find where the ”get_single_ip” function originates
Good hunting!
Hermit's Cave 