Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking Firmware Module Type: Standard Method Module Number: 0x01

Published byDaniela Palmer Modified over 7 years ago

Similar presentations

Presentation on theme: "Attacking Firmware Module Type: Standard Method Module Number: 0x01"— Presentation transcript:

1 Attacking Firmware Module Type: Standard Method Module Number: 0x01
Last Updated: Author: Hermit

2 Topics What is Firmware? Why do we care about it?
Where can you find it? Extracting Zip Files Extracting Binary Files Extracting YAFFS Files Things to Try More To Explore

3 What is Firmware? Traditionally, it’s code that’s programmed onto a microcontroller, and typically in a non-volatile manner (i.e. it can’t easily be changed). In a more modern context, it’s the code that runs on a dedicated hardware device (e.g. routers, game consoles, IoT devices, etc) Often includes an entire Linux operating system, or at least emulates one.

4 Why do we care about it? Firmware is the operating system upon which the devices run. Shockingly, it often isn’t secured to any meaningful standard, and may contain nasty surprises such as: Backdoor accounts Poor input sanitization Undocumented features/paths Default “random” value Even when properly secured, it often represents a snapshot whose security posture changes over time (think openssl and Heartbleed). Even when vendors release updates, many individuals/organizations don’t apply the patches.

5 Where can you find it? The most obvious place is the vendor website, but oftentimes they’ll stop hosting the firmware updates for devices that are no longer sold/supported. In some cases, you have to dump the firmware directly from the hardware, as no published copy exists (example: Amazon Dash buttons). In most cases, you’ll get it in one of three file formats: Plain binary files (.bin) may be one of many formats Archive files (.zip) contain a series of files to be processed, and are often encrypted Yet Another Flash File System (.yaffs), which was designed to work with flash storage, and is roughly analogous to a feature-enhanced version of TAR

6 Download A Playground! Grab two firmware files (or go off on your own and play with a file of your choosing): Password for DWR firmware is: beUT9Z Or you can crack it in about 15 minutes if you’d prefer. 

7 Extracting Zip Files First, a simple check to confirm that a true ZIP file is present: file Firmware.zip Firmware.zip: Zip archive data, at least v1.0 to extract If it instead shows “data” as the type, try ”unzip” to detect an offset: file Firmware.zip Firmware.zip: data unzip Firmware.zip Archive: Firmware.zip warning [Firmware.zip]: 64 extra bytes at beginning or within zipfile (attempting to process anyway) [Firmware.zip] FILENAME.EXT password: Two things to solve: the offset and the password. First, the offset: dd if=Firmware.zip of=NewFirmware.zip bs=64 skip= records in records out bytes (64 MB, 61 MiB) copied, s, 54.7 MB/s

8 Extracting Zip Files (continued)
Now to look at that password. You can use fcrackzip or John the Ripper. Using fcrackzip: fcrackzip -m 2 -v -b NewFirmware.zip found file ‘FILENAME.EXT’, (size cp/uc / , flags 9, chk 7a64) {etc} 8 file maximum reached, skipping further lines possible pw found: beUT9Z () ^Checking pw bjAM7~ Using JtR: zip2john NewFirmware.zip > NewFirmware.hash john --incremental NewFirmware.hash

9 Extracting Binary Files
Just use binwalk! binwalk -e -M -d 2 -v ./Firmware.bin Let’s go over those switches: -e means extract -M means perform a Matryoshka (recursive extraction) -d specifies how deep to go on the -M scan -v makes it verbose

10 Extracting a Binary File (continued)
Other useful binwalk commands: -B scans for file signatures -A scans for common operation codes -m lets you override the default magic bytes (if you’re looking for a particular type of file) -C lets you specify an alternative location for the extracted files

11 Extracting YAFFS Files
Install it if you don’t have it (not installed by default in Kali): apt-get install unyaffs Extract the file system: unyaffs ./Firmware.yaffs2

12 Things to Try Crack the system passwords: john --incremental shadow MD5 all files on the system: find . -type f -exec md5sum '{}’ \; Look for a webserver, common places: /var/www /var/html /WEBSERVER Look for all executables: find ./etc -type f -executable –print Look for configurations: find ./etc -name *conf* -print find ./etc -name *cfg* -print

13 Things to Try (continued)
Look at what starts at boot: ls –la ./etc/rc* Look for mount points: cat ./etc/fstab Look for ISOs: find . -name *.iso* -print Mount ISOs: mount -o loop,ro ./iso/path /path/to/mount pushd /path/to/mount popd Look for BusyBox (you’ll see it everywhere in /bin, for instance) … and so much more!

14 Scavenger Hunt! DD-WRT54G Firmware Find code being used in production that explicitly says it’s not for production use! DWR-932B Firmware Find the root password! DWR-932B Firmware Find the default DynDNS username and password DWR-932B Firmware Find the Setup.exe file DD-WRT54G Firmware Find where the ”get_single_ip” function originates

15 Additional Resources Vulnerability Writeups on 932B Firmware Hermit
vulnerabilities.html vulnerabilities.html Hermit

Download ppt "Attacking Firmware Module Type: Standard Method Module Number: 0x01"

Similar presentations

Book Port Plus Finding Existing Titles and Sending New Content Presented by Maria E. Delgado.

Book Port Plus Finding Existing Titles and Sending New Content Presented by Maria E. Delgado.
Modern Operating Systems 2014 Practice Tasks. Lab1. OS Installation. Boot configuration Install Dual boot system Linux / Windows 7 or 8 / win server 2012(Dreamspark.

Modern Operating Systems 2014 Practice Tasks. Lab1. OS Installation. Boot configuration Install Dual boot system Linux / Windows 7 or 8 / win server 2012(Dreamspark.
Hacking WRT54G with Linux Presentation Prepared By:Dan Scarberry TJ Dziedzinski Jeremy Leung 2114.

Hacking WRT54G with Linux Presentation Prepared By:Dan Scarberry TJ Dziedzinski Jeremy Leung 2114.
Chapter 7: Configuring Disks. 2/24 Objectives Learn about disk and file system configuration in Vista Learn how to manage storage Learn about the additional.

Chapter 7: Configuring Disks. 2/24 Objectives Learn about disk and file system configuration in Vista Learn how to manage storage Learn about the additional.
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
LSU 06/04/2007BASIC Stamp Editor1 The BASIC Stamp Editor Programming Unit, Lecture 3.

LSU 06/04/2007BASIC Stamp Editor1 The BASIC Stamp Editor Programming Unit, Lecture 3.
UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.

UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
TRUECRYPT.

TRUECRYPT.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Chapter 7 Microsoft Windows XP. Windows XP Versions XP Home XP Home XP Professional XP Professional XP Professional 64-Bit XP Professional 64-Bit XP Media.

Chapter 7 Microsoft Windows XP. Windows XP Versions XP Home XP Home XP Professional XP Professional XP Professional 64-Bit XP Professional 64-Bit XP Media.
Tutorial 11 Installing, Updating, and Configuring Software

Tutorial 11 Installing, Updating, and Configuring Software
Setting Up a Local WordPress Development Environment By Gregory Young Alternative Hosting https://www.alternativehosting.com

Setting Up a Local WordPress Development Environment By Gregory Young Alternative Hosting
Chapter 7 Making Backups with RMAN. Objectives Explain backup sets and image copies RMAN Backup modes’ Types of files backed up Backup destinations Specifying.

Chapter 7 Making Backups with RMAN. Objectives Explain backup sets and image copies RMAN Backup modes’ Types of files backed up Backup destinations Specifying.
Setting Up a Local WordPress Development Environment By Gregory Young Alternative Hosting https://www.alternativehosting.com

Setting Up a Local WordPress Development Environment By Gregory Young Alternative Hosting
Www.HSMM-MESH.org Step-by-step Here is how simple it is to get on the Mesh...

Step-by-step Here is how simple it is to get on the Mesh...
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
Hosted Virtualization Lab Last Update 2014.02.02 1.0.0 1Copyright 2011-2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Hosted Virtualization Lab Last Update Copyright Kenneth M. Chipps Ph.D.
Introduction A security scanner is a software which will audit remotely a given network and determine whether bad guys may break into it,or misuse it.

Introduction A security scanner is a software which will audit remotely a given network and determine whether bad guys may break into it,or misuse it.

Similar presentations

Ads by Google