OWASP IoT I9: Firmware analysis part -1

• Get the firmware• Reconnaissance• Unpacking• Localize point of interest• Decompile/pentest/fun!What are the requirements i will explain step by step. Here i am using the Ubuntu Xenial 16.04 you can use which Linux is comfortable with you.

Requirements:


1.Binwalk
2.Strings
3.Hexeditor
4.Linux OS - Ubuntu or Any other
5.Vulnerable firmware

So here i am not attacking any device directly because for firmware you will get from the vendor site or you can find some firmware in index of some sites.

Installation:

1.Binwalk:


as shown below And follow the installation steps from the Github location some dependencies need to be install. Some of them i will show how to do and remaining check from here

https://github.com/ReFirmLabs/binwalk/blob/master/INSTALL.md
  
$sudo apt-get install binwalk





2.Strings:


After installation in the Binwalk in my Linux operating OS so next strings already default many Linux systems if it’s not there then install strings and Hexeditor

Strings using for printable characters in files. Depending upon how the strings program was configured it will default to either displaying all the printable sequences that it can find in each file, or only those sequences that are in loadable, initialised data sections. If the file type in unrecognisable, or if strings is reading from "stdin" then it will always display all of the printable sequences that it can find.



3.hexedit tool:


hexedit tool - view and edit files in hexadecimal or in ASCII.


4.Linux OS:


Here coming for the firmware analysis many Linux OS having some problems while doing the testing, so i am choosing Ubuntu 
You can choose other Linux as well but issues found many


5. Vulnerable Firmware:


In firmware testing we required a firmware and why i mentioned vulnerable firmware here , i am not going to target any particular device , the people who are working in this firmware analysis they designed one DVRF - Damn Vulnerable Framework Router , we are going test DVRF you can download from here:

https://github.com/praetorian-inc/DVRF


Some other firmware files to test 

https://github.com/V33RU/IoTSecurity101#firmware-to-pentest

Here i am showing the a simple firmware of “openwrt” for testing purpose you can download with help of Google dorks also for example: “index of firmware”


Before going to start the "firmware analysis"


What is firmware:


Firmware is a software for hardware, and it is helped for the user running programs on the devices

Where it is available :


1. CD/DVD from vendor 
2. Device Vendor websites 
3.   Dump with the help of hardware debuggers from the devices.
4. Capture when updating firmware 
5. Reversing APPS

What is firmware testing:


Firmware testing is nothing but finding the bug inside of firmware before hackers do ..
In firmware testing main flaw findings are buffer/stack/heap over flows , so some other testing are like functionality test and security test , so we are discuss about the security test.

Why firmware testing:


Firmware is consist of hidden data and it is controller of device which means once find the vulnerabilities like are zero days in firmware , that firmware related all devices can be hackable , already many hacks exposed like “netusb” related hacking techniques , so before hackers taking advantage of devices hacking will go for test first,


Lets get into testing:


Before i am going to test i want to say something to all , this is not only final or advanced method , As a beginner it will give some idea on testing , there many more methods are there i am keep writing for the different types of testing of firmware analysis and IoT hacking also.

1. File information
2. Printable characters analysis
3. Identify the Build of firmware
4. Reverse engineering with the Binwalk
5. Finding the confidential information

Run “file” command in on testing binary file to get the data information of bin file,
A data contains of the .txt files and .bin files , when we are running the file command it will showing the data it means bin file containing information.

 # file “file.bin”




And check for the printable characters in bin file with help of “strings”

 # strings -n 10 file.bin

The above image is giving the information of the architecture of “MIPS”there are two main types of architecture MIPS and ARM ,

MIPS(Million Instructions Per Second):  

This architecture is mainly in Routers and Play stations , and it is is a reduced instruction set computer (RISC)

ARM(Advanced RISC Machine)

this architecture is using for the mainly mobiles , and SoC (system on chips) , radios etc.


MIPS And ARM Exploitation is possible , from strings command not only architecture information, will get more than that like passwords or any other sensitive information 

Identify the Build of firmware:


For finding the firmware build information we are going to use Hexdump

# hexdump -C -n 512 xyz.bin

Analysis with Binwalk:


With help of binwalk we can find more information from the firmware files so lets begin
Here we go for the testing firmware file

Here we going to check for the signatures and file containing inside of binary file]

 $binwalk file.bin




 After that what we got information about the given file containing ,
LZMA compressed data , squashfs file system , and some other information for video actually what are they.




 The Lempel–Ziv–Markov chain algorithm (LZMA) is an algorithm used to perform lossless data compression. 
SquashFS is a compressed read-only file system for Linux. SquashFS compresses files, inodes and directories, and supports block sizes up to 1 MB for greater compression.



And it is containing information of passwords , certificates , running services , architecture information, api's , fimrware upgrade url's and many other sensitive information that we need to check manually or automated way 
Extracting the data form the firmware and analyzing the information what it contains

$binwalk -Me “file.bin”




In binwalk “M” for even recursively scan files as it extracts them , For extracting firmware we choose option “e” after extracting looking like this as shown below



And like that grab the banner information and root information

Command:


$cat etc/banner



For finding the Confidential information form the extracted files
Some interesting information is available like passwords , root information and certificated , hardcoded url’s etc

Once squashfs folder is extracted we will get more information from it like passwords,
Go to extracted folder as shown below 

$cat /etc/passwd$cat /etc/shadow




 To check additional information about

 Firmware like release and version information

$cat openwrt_release
$cat openwrt_version 





Comments

Post a Comment

Popular posts from this blog

VR Model P1 - 360 degree camera

Image
This article is one of my very old assessment for fun i did (and it is done 2017) got it by recovering hard disk and assigned CVE ID - (CVE-2020-23512) . Here my target to  test 360 degree camera which trending in the IP camera world recently, what we going test model P1 VR camera. What is VR camera..? In photography, an omnidirectional camera (from "Omni", meaning all) is a camera with a 360-degree field of view in the horizontal plane, or with a visual field that covers (approximately) the entire sphere. Omnidirectional cameras are important in areas where large visual field coverage is needed, such as in panoramic photography and robotics. VR CAM P1 Proxy Eye Fisheye Camera IP 3D Vr 360 Degree Panoramic 960P Wi-Fi CCTV Camera With Sd Memory Card Slot Multi Viewing Mode Features of this VR CAMERA:    Brand VR CAM Model P1 Product Dimension 15 x 15 x 5 cm Resolution 960p Android/iOS Devices Additional Featur
Read more

Buspirate v3.6 firmware upgrade from USB

Image
Buspirate:  The Bus Pirate v3.6a, created by Ian Lesnet, is a troubleshooting tool that communicates between a PC and any embedded device over 1-wire, 2-wire, 3-wire, UART, I2C, SPI, and HD44780 LCD protocols - all at voltages from 0-5.5VDC. This product eliminates a ton of early prototyping effort when working with new or unknown chips. Upgrading Firmware: buspirate will not come with new firmware so it has to be change by us. buspirate v4 : Supports firmware version 7  buspirate v3.x:  Supports firmware version 6&7 (note : firmware version 7 may hurt the device hardware not fully tested from my side doit in your won risk) Requirements: Buspirate firmware and loader : https://github.com/DangerousPrototypes/Bus_Pirate/tree/master/BPv3-bootloader ICSP pins. in these pins there are two of them which is  PGD and PGC   helps us to load the firmware into it . T he PGC and PGD pins with a jumper cable. When you are in the bootloader, the MODE LED of the Bus Pirate will stay on connect th
Read more

Dumping the Firmware from the device Using buspirate - SPI

Image
One of the best way to get the firmware from the hardware While doing penetration testing there are scenarios in which we need to dump the firmware from the devices.This method is typically used when there are no firmware’s available from vendor site. Today we are going to show you how to dump the firmware from an Wireless router Binatone DT 850W Software and hardware Requirements: Buspirate Ubuntu 16.04 or any other Linux machine Flashrom tool SOIC cable pin 8 Buspirate connectors               This is a Wireless router from Binatone DT 850W which will be used as an example for dumping the firmware. Let’s us Analyze the Inside Device.You can see IC chips like  EEPROM, UART  pins and Ralink  CPU  and also some Other   IC  chips Let us focus mainly on the  EEPROM chip (winbond W25Q16). What is EEPROM : EEPROM (also written E2PROM and pronounced “e-e-prom”, “double-e-prom” or “e-squared-prom”) stands for electrically erasable program
Read more