ANALYZING D-LINK ROUTER FIRMWARE AND SEARCHING FOR TELNET CREDENTIALS
- Layout for this exercise:

1 - Downloading the firmware
- The firmware corresponding to the router D-LINK DIR-300 is downloaded from the support web page:


- Once the firmware is downloaded:

2 - Analyzing the firmware
- Binwalk helps to analyze the firmware. For instance, the firmware is intended to be run under a MIPS architecture. Also, it is compressed with the LZMA algorithm:

- The section of the firmware where the squashfs filesystem is located starts at 917632:

- The command dd converts the file skipping all the content up where the squashfs section starts, creating a new file called fylesystem_dlink:

- The new file:

- It is a data file type:

- Applying again binwalk, we check that now the content of the new file consists of only the squashfs section:

3 - Extracting the root file system
- Extracting the firmware with binwalk -e:

- Some files and directories are created, including the root file system at folder squashfs-root:

- The whole root file system is available at squashfs-root:

4 - Searching for the Telnet credentials
- Let's try to find any string related with the Telnet protocol using grep (-i=ignoring case distinctions, -R=reading recursively -n=line numbering ):

- Line number 8 inside /etc/scripts/misc/telnetd.sh yields interesting information about the Telnet credentials:

- Going to the file /etc/scripts/misc/telnetd.sh:


- While username (-u) is Alphanetworks, the password seems to be stored at the variable $image_sign:

- Also, the file says where the value of the variable $image_sign is stored:

- Eventually the password is available, opening /etc/config/image_sign:

- By the way, the password can be detected with the command hexdump (see first line):


- Also, using the command strings, the first string corresponds to the Telnet password:


5 - Emulating the firmware with FAT (Firmware Analysis Toolkit)
- Launching the script ./fat.py, and introducing the name of the firmware (dir300b_v2.05) and the brand DLINK:

- The password "firmadyne" is entered for going ahead with the emulation:


- The final step for setting the network interface lasts for exactly 60 seconds, time allotted to the firmware to boot up:


- Finally, browsing to 192.168.0.1 the firmware is available as if it were a real physical device:

- The emulation can be destroyed just pressing any key:
