EmbeddedDevices

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Embedded Devices

Media

Paul & John Strand SANS Webcast: Hacking Embedded devices, no axe required

Soho Security Study

Nessus

I wrote an article: Scanning Embedded Systems In The Enterprise With Nessus (http://bit.ly/10nRtdT)


Nmap

nmap -P0 -vv -sS -r -n -p 1-65535 192.168.1.7

nmap -P0 -T5 -sU -r -n -p 1-1024 192.168.1.7

Peeper.py (https://github.com/invisiblethreat/peeper)

Takes screenshots of all web sites in Nessus results

recon-ng - General purposes recon tool


Determine Device Type

Visit web configuration screen Banners: SNMP FTP TELNET SSH Is it running FOSS that has known vulnerabilities?


Offline Work

Visit manfacturers web site: Read manuals (default passwords? Win!) Review software license (GNU software? Runs Linux!) Download firmware - Starts an entirely new process, we won’t cover debugging with IDA, but quicker wins


Basic Analysis:Strings

$ strings -8 firmware.bin  | grep "^/" | less

/webauth/login.htm/webauth/login_fail.htm/webauth/login_fail_held.htm/webauth/login_full.htm/webauth/login_success.htm/webauth

/login.htm?oriurl=/webauth//xml/devicedesc.xml/webauth//webauth/login_fail_held.htm

Find Authentication Bypass

#!/bin/bash
PAGES=`cat webfiles`

for p in $PAGES
do

        wget http://192.168.1.7$p
done

“webfiles” contains all web page URLs dumped from firmware


Basic Analysis: Grep

# grep --binary-files=text -bi "vxworks" ram.bin# grep --binary-files=text -bi -A 50 "password" ram.bin


13899779:username admin password 7 21232f297a57a5a743894a0e4a801fc313899840-username 

guest access-level 013899870:username guest password 7 084e0343a0486ff05530df6c705c8bb413899931:enable password level 15 7 

1b3231655cebb7a1f783eddf27d254ca


Basic Firmware Analysis

# binwalk DIR-850L_FW_v1.03b02.bin 


DECIMAL   	HEX       	DESCRIPTION</br>
-------------------------------------------------------------------------------------------------------------------0 

      	0x0       	DLOB firmware header, boot partition: "dev=/dev/mtdblock/1"589       	0x24D     	LZMA compressed data, 

properties: 0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes10376     	0x2888    	LZMA compressed 

data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 5034652 bytes1638512   	0x190070  	PackImg section 

delimiter tag, little endian size: 12610048 bytes; big endian size: 6995968 bytes1638544   	0x190090  	Squashfs 

filesystem, little endian, version 4.0, compression: lzma, size: 6992339 bytes,  2435 inodes, blocksize: 131072 bytes, created: Tue

 Mar 12 06:45:03 2013 


Reverse Engineering Firmware Primer

Extract File System

# binwalk --dd=squashfs:1 DIR-850L_FW_v1.03b02.bin

# cd _DIR-850L_FW_v1.03b02.bin.extracted/# file 190090.1

190090.1: Squashfs filesystem, little endian, version 4.0, 1778655743 bytes,

 2435 inodes, blocksize: 0 bytes, created: Mon Sep 21 17:59:44 2026

Firmware Toolkit

Now we understand at least one building block Time to automate! Works best with home routers and access points Firmware toolkit is a collection of scripts and tools to extract firmware: Firmware headers Kernel File system

# ./extract-ng.sh DIR-850L_FW_v1.03b02.bin 
Firmware Mod Kit (build-ng) 0.78 beta, (c)2011-2012 Craig Heffner, Jeremy Collake
http://www.bitsum.com

Scanning firmware...

DECIMAL   	HEX       	DESCRIPTION
--------------------------------------------------------------------------------------

0         	0x0       	DLOB firmware header, signature=wrgac05_dlob.hans_dir850l, dev=/dev/mtdblock/1

1638544   	0x190090  	Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 6992339 bytes, 2435 inodes, 

blocksize: 131072 bytes, created: Tue Mar 12 06:45:03 2013

Extracting 1638544 bytes of dlob header image at offset 0
Extracting squashfs file system at offset 1638544
Extracting squashfs files...
Firmware extraction successful!
Firmware parts can be found in 'fmk/*'


Qemu is your Friend

Run ARM or MIPS binaries on your i386 system Allows you to debug them too And run the web server Then test using something like Burp Test devices without actually having the device! Find vulnerabilities pre-purchase

# chroot . ./qemu-mips-static  sbin/httpd -f var/run/httpd.conf


# ./qemu-mips-static  bin/ls 


Enumerate Web Pages

root@ubuntu:/usr/src/firmware-mod-kit-read-only/trunk/fmk/rootfs/htdocs# ls

cgibin          HNAP1    neap              phplib  upnpdevdesc  web        webinc
fileaccess.cgi  mydlink  parentalcontrols  upnp    upnpinc      webaccess  widget


Metasploit

Metasploit now has a MIPS payload http://bit.ly/ZE9zVN Several web command execution vulns Post-exploitation for embedded systems

Research & Resources

Once you identify the device, see if others have reverse engineered the firmware Or disclosed vulnerabilities:

http://www.devttys0.com

http://www.powerofcommunity.net/poc2012/re&si.pdf

http://this8bitlife.com/adventures-in-linux-reverse-engineering-firmware/

http://www.digitalworldz.co.uk/47718-looking-inside-jffs2-images.html

http://bramp.net/blog/2012/01/hacking-linksys-e4200v2-firmware/

http://pauldotcom.com/wiki/index.php/Episode320#Interview:_Craig_Heffner < Interview w/ binwalk author

http://codeinsecurity.wordpress.com/category/reverse-engineering/

https://media.blackhat.com/us-13/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf

http://en.wikibooks.org/wiki/Reverse_Engineering/File_Formats

http://this8bitlife.com/adventures-in-linux-reverse-engineering-firmware/

http://conceptofproof.wordpress.com/2013/10/20/reverse-engineering-a-netgear-wndr3800-router/

http://www.sans.org/reading-room/whitepapers/testing/exploiting-embedded-devices-34022

https://code.google.com/p/binwalk/wiki/Projects

http://dl.packetstormsecurity.net/papers/general/reverse_engineering_ip_camera_firmware.pdf

http://thehackerblog.com/linksys-wrt56g-backdoor-payload/

http://wiki.pauldotcom.com/wiki/index.php/Episode308#Tech_Segment:_Reverse_Engineering_Firmware_Primer

http://landley.net/aboriginal/presentation.html

http://insight-labs.org/wp-content/uploads/2011/09/Embedded-Devices-Hacking.pdf

http://insight-labs.org/wiki/index.php?type=article&class=Firmware