AdSense

Tuesday, May 2, 2017

5 - Analyzing, emulating and searching for Telnet credentials at a D-LINK router firmware



ANALYZING D-LINK ROUTER FIRMWARE AND SEARCHING FOR TELNET CREDENTIALS

 - Layout for this exercise:


1 - Downloading the firmware

 - The firmware corresponding to the router D-LINK DIR-300 is downloaded from the support web page: 




- Once the firmware is downloaded:


2 - Analyzing the firmware

 - Binwalk helps to analyze the firmware. For instance, the firmware is intended to be run under a MIPS architecture. Also, it is compressed with the LZMA algorithm:


 - The section of the firmware where the squashfs filesystem is located starts at 917632:
- The command dd converts the file skipping all the content up where the squashfs section starts, creating a new file called fylesystem_dlink:


- The new file:


- It is a data file type:




- Applying again binwalk, we check that now the content of the new file consists of only the squashfs section:



3 - Extracting the root file system

- Extracting the firmware with binwalk -e:



- Some files and directories are created, including the root file system at folder squashfs-root:



- The whole root file system is available at squashfs-root:



4 - Searching for the Telnet credentials

- Let's try to find any string related with the Telnet protocol using grep (-i=ignoring case distinctions, -R=reading recursively  -n=line numbering  ):



- Line number 8 inside /etc/scripts/misc/telnetd.sh yields interesting information about the Telnet credentials:



- Going to the file /etc/scripts/misc/telnetd.sh:



- While username (-u) is Alphanetworks, the password seems to be stored at the variable $image_sign:




- Also, the file says where the value of the variable $image_sign is stored:


- Eventually the password is available, opening /etc/config/image_sign:


- By the way, the password can be detected with the command hexdump (see first line): 




- Also, using the command strings, the first string corresponds to the Telnet password:




5 - Emulating the firmware with FAT (Firmware Analysis Toolkit)

 - Launching the script ./fat.py, and introducing the name of the firmware (dir300b_v2.05) and the brand DLINK:


- The password "firmadyne" is entered for going ahead with the emulation:
- The final step for setting the network interface lasts for exactly 60 seconds, time allotted to the firmware to boot up:



- Finally, browsing to 192.168.0.1 the firmware is available as if it were a real physical device:

- The emulation can be destroyed just pressing any key:


Posted by at
Labels: