Simulation of a Firmware
In part-1 of this blog, we have covered how to extract a firmware and pull out sensitive content from the extracted file system. Now in this blog, we will be focusing on simulating the firmware on the browser user interface for its web application based exploitation and along with that, we will also try to backdoor a firmware so that we can get the access of the firmware when we are not in the network though.
So for the simulation, we will be focusing on majorly a fantastic framework named firmadyne and which is embedded with firmware-analysis-toolkit in attifyOS.
Environment used :
1. IoT pentesting OS named attifyOS you can have it from here: It has all the tools needed to perform analysis on any firmware.
Step 1: You can download any firmware from the links provided on the previous blog. Here I am using the same firmware for simulation which was used for extraction in part-1 of this blog i.e. DIR645.bin You can download it from here.
Step 2: Run ./fat.py file present in /home/oit/tools/firmadyne folder and fill out the details needed like name of the file and name you want it to be stored in the database( you can give according to your choice) then it will ask for database password which is firmadyne .
This password will be asked by the user three times and sometimes it also asks for the OS password as well which is by default attify123 .
NOTE: Make sure your binary file needs to be in the same folder as that of fat.py
When the password is asked for the third time it will stick for a while to create an interface and will take around 60 sec. Don't press enter during that waiting time otherwise, it will stop the simulation.
When you see that firmware is finally running just above that it will also give you the IP address to interact with that firmware like here, in this case, it is 192.168.0.1. Let's try to open this link in the browser.
The default password is set to blank just press login and you are inside the admin panel.
While browsing through it when I started with web pentesting I browsed through TOOLS tab which was vulnerable to csrf attack as no re-authentication was asked and no csrf token was used a malicious insider can change the admin password if he/she wants to.
This was just one type of web-based attack that can be performed. There are many for reference; one can prefer OWASP TOP-10.
As it has also been provided with an IP address like in this case 192.168.0.1 you can try for network-based attacks or scanning techniques which might give any network-based vulnerability. like here's a screenshot from a nmap scan providing us with the ports open and operating system architecture running.
You can also pentest it from other frameworks like routersploit which will find vulnerabilities in these devices very easily.
There are ample ways an attacker can exploit such firmware. One more way of exploiting a framework is by simply adding up your bind shell file in one of the startup programs in the device directory and rebuild the firmware and when anyone updates their firmware they will end up giving reverse shell of their router and this can even be possible to perform globally by using an account using cloud servers.
Article Link: https://blog.lucideus.com/2020/06/firmware-analysis-part-2-prabhankar.html