Attacking Firmware
Module Type: Standard Method
Module Number: 0x01
Last Updated: 2017-05-29
Author: Hermit
Topics
• What is Firmware?
• Why do we care about it?
• Where can you find it?
• Extracting Zip Files
• Extracting Binary Files
• Extracting YAFFS Files
• Things to Try
• More To Explore
What is Firmware?
• Traditionally, it’s code that’s programmed onto a microcontroller, and
typically in a non-volatile manner (i.e. it can’t easily be changed).
• In a more modern context, it’s the code that runs on a dedicated
hardware device (e.g. routers, game consoles, IoT devices, etc)
• Often includes an entire Linux operating system, or at least emulates
one.
Why do we care about it?
• Firmware is the operating system upon which the devices run.
• Shockingly, it often isn’t secured to any meaningful standard, and may
contain nasty surprises such as:
•
•
•
•
Backdoor accounts
Poor input sanitization
Undocumented features/paths
Default “random” value
• Even when properly secured, it often represents a snapshot whose
security posture changes over time (think openssl and Heartbleed).
• Even when vendors release updates, many individuals/organizations
don’t apply the patches.
Where can you find it?
• The most obvious place is the vendor website, but oftentimes they’ll
stop hosting the firmware updates for devices that are no longer
sold/supported.
• In some cases, you have to dump the firmware directly from the
hardware, as no published copy exists (example: Amazon Dash
buttons).
• In most cases, you’ll get it in one of three file formats:
• Plain binary files (.bin) may be one of many formats
• Archive files (.zip) contain a series of files to be processed, and are often
encrypted
• Yet Another Flash File System (.yaffs), which was designed to work with flash
storage, and is roughly analogous to a feature-enhanced version of TAR
Download A Playground!
• Grab two firmware files (or go off on your own and play with a file of
your choosing):
• https://www.stackattack.net/files/fw-dwr-932-2.03.zip
• https://www.stackattack.net/files/fw-wrt-54g-4.21.5.bin
• Password for DWR firmware is:
beUT9Z
Or you can crack it in about 15 minutes if you’d prefer. 
Extracting Zip Files
• First, a simple check to confirm that a true ZIP file is present:
hermit@system:~$ file Firmware.zip
Firmware.zip: Zip archive data, at least v1.0 to extract
• If it instead shows “data” as the type, try ”unzip” to detect an offset:
hermit@system:~$ file Firmware.zip
Firmware.zip: data
hermit@system:~$ unzip Firmware.zip
Archive:
Firmware.zip
warning [Firmware.zip]: 64 extra bytes at beginning or within zipfile
(attempting to process anyway)
[Firmware.zip] FILENAME.EXT password:
• Two things to solve: the offset and the password. First, the offset:
hermit@system:~$ dd if=Firmware.zip of=NewFirmware.zip bs=64 skip=1
993106+1 records in
993106+1 records out
63558829 bytes (64 MB, 61 MiB) copied, 1.16206 s, 54.7 MB/s
Extracting Zip Files (continued)
• Now to look at that password. You can use fcrackzip or John the
Ripper.
• Using fcrackzip:
hermit@system:~$ fcrackzip -m 2 -v -b NewFirmware.zip
found file ‘FILENAME.EXT’, (size cp/uc
12/
0, flags 9, chk 7a64)
{etc}
8 file maximum reached, skipping further lines
possible pw found: beUT9Z ()
^Checking pw bjAM7~
• Using JtR:
hermit@system:~$ zip2john NewFirmware.zip > NewFirmware.hash
hermit@system:~$ john --incremental NewFirmware.hash
Extracting Binary Files
• Just use binwalk!
hermit@system:~$ binwalk -e -M -d 2 -v ./Firmware.bin
• Let’s go over those switches:
•
•
•
•
-e means extract
-M means perform a Matryoshka (recursive extraction)
-d specifies how deep to go on the -M scan
-v makes it verbose
Extracting a Binary File (continued)
• Other useful binwalk commands:
• -B scans for file signatures
• -A scans for common operation codes
• -m lets you override the default magic bytes (if you’re looking for a particular
type of file)
• -C lets you specify an alternative location for the extracted files
Extracting YAFFS Files
• Install it if you don’t have it (not installed by default in Kali):
hermit@system:~$ apt-get install unyaffs
• Extract the file system:
hermit@system:~$ unyaffs ./Firmware.yaffs2
Things to Try
• Crack the system passwords:
hermit@system:~/FWDemo/yaffs_extract/etc$ john --incremental shadow
• MD5 all files on the system:
hermit@system:~/FWDemo/yaffs_extract$ find . -type f -exec md5sum '{}’ \;
• Look for a webserver, common places:
• /var/www
• /var/html
• /WEBSERVER
• Look for all executables:
hermit@system:~/FWDemo/yaffs_extract$ find ./etc -type f -executable –print
• Look for configurations:
hermit@system:~/FWDemo/yaffs_extract$ find ./etc -name *conf* -print
hermit@system:~/FWDemo/yaffs_extract$ find ./etc -name *cfg* -print
Things to Try (continued)
• Look at what starts at boot:
hermit@system:~/FWDemo/yaffs_extract$ ls –la ./etc/rc*
• Look for mount points:
hermit@system:~/FWDemo/yaffs_extract$ cat ./etc/fstab
• Look for ISOs:
hermit@system:~/FWDemo/yaffs_extract$ find . -name *.iso* -print
• Mount ISOs:
hermit@system:~/FWDemo/yaffs_extract$ mount -o loop,ro ./iso/path /path/to/mount
hermit@system:~/FWDemo/yaffs_extract$ pushd /path/to/mount
hermit@system:~/FWDemo/yaffs_extract$ popd
• Look for BusyBox (you’ll see it everywhere in /bin, for instance)
• … and so much more!
Scavenger Hunt!
1. DD-WRT54G Firmware
Find code being used in production that explicitly says it’s not for
production use!
2. DWR-932B Firmware
Find the root password!
3. DWR-932B Firmware
Find the default DynDNS username and password
4. DWR-932B Firmware
Find the Setup.exe file
5. DD-WRT54G Firmware
Find where the ”get_single_ip” function originates
Additional Resources
• Vulnerability Writeups on 932B Firmware
• https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routersvulnerabilities.html
• https://pierrekim.github.io/blog/2017-02-02-update-dlink-dwr-932b-lte-routersvulnerabilities.html
• Hermit
• https://twitter.com/hermit_hacker
• https://www.cryptolingus.net/
• https://www.stackattack.net/blog/