Firmadyne Installation & Emulation of Firmware

 Introduction

Firmadyne can be used to perform emulation and analysis of Linux based firmware.


Installation

Install Ubuntu 18.04 LTS and upgrade all packages:

sudo apt update
sudo apt upgrade

Install and configure other packages:

sudo apt-get install busybox-static fakeroot git dmsetup kpartx netcat-openbsd nmap python3-psycopg2 snmp uml-utilities util-linux vlan python3-pip python3-magic

sudo update-alternatives --install /usr/bin/python python /usr/bin/python3 10

git clone --recursive https://github.com/firmadyne/firmadyne.git

git clone https://github.com/ReFirmLabs/binwalk.git
cd binwalk
sudo ./deps.sh
sudo python ./setup.py install

cd ..
sudo apt-get install postgresql
sudo -u postgres createuser -P firmadyne
Give firmadyne as password.
sudo -u postgres createdb -O firmadyne firmware
sudo -u postgres psql -d firmware < ./firmadyne/database/schema

cd firmadyne
./download.sh

sudo apt-get install qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils

nano firmadyne.config

Uncomment FIRMWARE_DIR and set its value to path of firmadyne folder. Use Ctrl + o to save changes and Ctrl + x to exit.


Emulation

Download the firmware which needs to be analyzed.

wget http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip

Extract components of firmware:

sudo ./sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images

Find the ID generated during extraction, use it in next steps. In this case it is 1.

./scripts/getArch.sh ./images/1.tar.gz
./scripts/tar2db.py -i 1 -f ./images/1.tar.gz
sudo ./scripts/makeImage.sh 1
./scripts/inferNetwork.sh 1

Interface IP will be displayed. Here it is 192.168.0.100. Start the emulation:

./scratch/1/run.sh

Login to console using credential admin/password. Login to web UI at 192.168.0.100 using same credential.

File system can be mounted using:

sudo ./scripts/mount.sh 1


Run Analysis

SNMP

./analyses/snmpwalk.sh 192.168.0.100
less snmp.public.txt
less snmp.private.txt

Web

./analyses/webAccess.py 1 192.168.0.100 log.txt
less log.txt

Port Scan

sudo nmap -O -sV 192.168.0.100

Exploit

Install Metasploit.

sudo apt install curl
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
chmod 755 msfinstall && \
./msfinstall

Start Metasploit for the first time to complete initial configuration.

msfconsole

Exit from metasploit.

mkdir exploits
less exploits/exploit.metasploit.log
python ./analyses/runExploits.py -t 192.168.0.100 -o exploits/exploit -e x

Video



Comments

Post a Comment

Popular posts from this blog

Extract / Create Cramfs File System from Ubuntu 20.04

Image
Extract Cramfs Check the endianness of the Cramfs file: file cramfs  This is a big endian file. Convert cramfs  file to little endian file cramfs_le using cramfsswap. cramfsswap cramfs cramfs_le Extract the little endian file  cramfs_le to folder fs using fsck.cramfs. sudo fsck.cramfs --extract=fs cramfs_le Create Cramfs Use mkfs.cramfs to create Cramfs file system from the contents of folder fs .To create a little endian file system: sudo mkfs.cramfs fs cramfs_new For big endian Cramfs file system: sudo mkfs.cramfs -N big fs cramfs_new Video
Read more

Dump memory to file from U-Boot console using Memory Display (md) log

Image
 Introduction Dump firmware or other contents from memory of a device with U-Boot bootloader to a file by converting output of memory display (md) command to binary image.  Steps 1. Connect to U-Boot console using picocom and save all outputs in a log file using commad given below. Here the output is saved to log file named 'mdb.log'. sudo picocom /dev/ttyUSB0 --baud 115200 --logfile mdb.log 2. Display the contents of the memory using command: md.b <address> <length> Figure below shows the command to display memory contents from address 0x400000000 and of length 0x20000 (128KB) . The data in this example corresponds to a jffs2 file system. 3. Once the execution completes, edit the log file and remove everything other than md.b output. 4. Clone the github project uboot-mdb-dump.git git clone https://github.com/gmbnomis/uboot-mdb-dump.git 5. Generate the binary image file 'output.bin' from log file 'mdb.log'. python3 uboot-mdb-dump/uboot_mdb_to_image.p
Read more