IoT Hacking - Netgear AC1750 NightHawk - Firmware Extraction via Root Shell

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up everybody this is Matt Brown with another iot hacking video today we're going to take our second look at a Netgear AC 1750 Wi-Fi router the Nighthawk series and in this video we're going to build upon our place that we left off in our last video if you remember in our last video we found a unauthenticated you shell uh from the hardware of this device that gives us a full a full root shell on the underlying Linux system of this wi-fi router so now in this video today what we're going to do is we're going to take that Art Shell and extract all of the firmware and we're actually going to show two different ways the two main ways that I will use a root shell like that to extract firmware off in a lot of other videos I demonstrate what I call kind of the nuclear method me of extracting firmware where you have to pull the chip off of the board you have to desolder it uh from the PCB and place that chip in some specialized Flash reader and extract The Flash contents out that way well we don't have to do that in this case cuz we have a root shell on this router and we're going to utilize that today and I'm going to show you the two methods that I use uh predominantly to perform those actions so so I'm going to go look at the desk really quick and then we're going to jump back to the computer so the only thing that I've done from last time is I have plugged in uh the ethernet Wan Port of the Wi-Fi router I have plugged that into my uh test lab Network here so that we will be able to uh give this device internet and I've also a factory reset it with a little factory reset button there where you push like a paperclip in it and that is so I don't have to censor anything that shows up in the Shell anymore uh that just makes things easier for me but other than that this is all the same setup we are powering it with a bench power supply because I did not have the power supply for this device so with that we are going to go look at our computer over here and navigate to our our Nifty root shell that we have set up on the device so uh yeah just a reminder we we get dropped this shell over this uart cable that we have connected up to those uart pins on the PCB and uh it drops us into a full root shell we did not have to brute force a uh root password hash anything like that it just dropped us in here uh you don't usually get this lucky but today we are so now what we want to do is we want to extract some of the firmware so last time I kind of showed like running the mount command and we can see here by running this Mount command that uh there are a lot of different ways some of these file systems will show up especially the root file system on a device like this but we can see here that there are actually these these Dev nodes on the Linux system that say you know Dev MTD block and then a number and so this is actually going to be super helpful for us and so what we're going to do is we're going to try to extract the the different flash partitions using these MTD block uh device nodes and so what we can look at is we can actually say LS MTD block star and there we can see that we have all of those partitions on the flash chip labeled as MTD block 0 through 19 it looks like and so those are going to be all the different you know partitions that are available on the flash chip so now we want to extract that off of the device and so there's a few different ways that we can do this so if if we were thinking of this like any other Linux system that we wanted to pull data off of right let's say you just had a Linux laptop sitting in front of you well how could you pull data off of that um obviously like we can't load up a web browser into this thing but we can use the fact that it has internet connectivity to send files over the network to our local computer here and so that is one of the methods that we're going to explore and the other that is available on this device and this is really device specific whether this is Poss this is a possibility at all is there's actually a USB port on this device and you can mount a file system from a USB thumb drive or in this case just you know USB terabyte hard drive and it will actually uh allow you to mount that partition and then you can load any you want onto it and unplug it and then plug it into your computer so those are the two method methods we're going to explore is over USB and network so I think the first way we're going to look at this is via USB so uh right here I just have a typical you know USB hard drive uh it's a terabyte and I have formatted this uh with fat 32 like a fat 32 partition and the reasoning for that is because that's it's it's it's very widely supported right there could be other partitions in Linux like EX3 ext4 on like a Linux desktop of course you could expect that to be supported but on embedded devices those kernel drivers and utilities will sometimes not be built in so that's just something to be aware of so on this device uh yeah so just kind of showing us at the desk really fast so right up here is a USB 3.0 port and I'm going to plug that in actually I want to I want to show you guys what happens because this is crazy how uh this happens so let's actually watch the shell when I plug this in so I plug in my USB hard drive give it a give a second here and it actually automatically detects that the USB is plugged in and it mounts it and then this is so crazy there's obviously some kind of file share feature that is built into this router so it's already starting to set up the files that are on this hard drive to be shared over the network using this wi-fi router so that's pretty crazy but uh we were not too concerned about that that may be a feature that we might want to do some security testing on later but for now we just want to extract this firmware and so we run that mount command again and here we see a new item show up right here at the bottom of the list we see that s it's gonna okay it's going to scroll a bunch of stuff here we see this sdb1 device is mounted and it says mounted on that means means that's the folder the directory location where that partition is mounted so we can actually go CD into that and uh you can see my testing from before here we'll we'll we'll delete those files of course that doesn't exist but you'll notice you you you'll notice I did not create this folder so it just started automatically like mounting my hard drive and creating folders there and all sorts of stuff right so now now what we need to do is we need to copy the data from those part all those other partitions on the flash chip into this folder because this folder is not mounted on the flash chip it's mounted on our removable USB hard drive so what we're going to do again we're going to uh kind of show what we want to copy out so like the first thing we want to copy out is this device node we want we want to do a bite forbite copy of what's being stored here now we can't just run the copy command you'll notice it it says that there's you know whoops that's not what I want to do right you you you'll notice that like the file size uh is like is like one right this is just a certain type of is like a block device but there is actually a bunch of data that is being backed by this block device and so what we want to do is we want to use the DD command unfortunately the DD command does not exist on this system but what's really cool is that there are projects out there of people on GitHub who host statically compiled binaries for a whole bunch of different architectures so what we're going to do is we're going to run un name- a and this is going to tell us right over here that this is an arm v7l system and so what I'm going to do is go so this is an arm you know Linux system here that's the architecture and that's important when we go try to find a statically compiled binary that we find one that's compatible so I will post this GI up repository I use these binaries all the time it's a really good curated set of statically compiled arm libraries and the first one we're going to use today is this statically compiled DD binary so I'm going to click on this this is a raw file obviously it's there's like no preview and I'm going to right click on raw and I'm going to say copy link so we'll go back over here and uh so when I'm dropping a file I can't just drop it anywhere usually I'm going to go throw it in temp um so our temp file system right here okay uh it's it's mounted read writable and there's no uh no exec permission here sometimes you got to watch out for that if if things are if you're dealing with a system that's a little more security conscious obviously this one is not because it just drops you to a root shell but uh that no exact permission can sometimes be set up on a partition which would not allow you to run any executables even if you set the executable as being executable so here we don't have to deal with that so we're going to run WG on that it's gonna oh yeah it's going to tell us that I hate these terminals all right so it's going to tell us that we need to do no check certificate because it's having trouble with that good back copy your link cool so now it says downloaded this DD binary uh but right now the permissions aren't set correctly so we're just going to make sure that that is marked as executable and now we should be able to run the DD program so now we have brought onto our system this DD utility and we can use it to copy data to our location over here and so for that we are going to run so we have to so this isn't obviously not going to mean our path we can't just type DD we actually have to type out this full path of this binary and then D for DD you say the infile so it's going to be Dev MTD block zero and then we're going to specify the out file and for this we just call it MTD block 0. bin we just call it whatever we want and then uh we're going to set the block size the one Meg just because that'll allow the copy to be a little bit faster and so we're going to run that and then it has copied that data here uh not there right here into our USB removable hard drive and then then what we would do is we would just repeat this process for all of these partitions and some of them will go really fast because they'll be really small and the other ones will take a long time and the ones that take a long time are obviously going to be the ones you probably care about more than than the other ones right so so this is one way for us to get that data off of our iot device where it's kind of restricted in there and we can get this back to our computer right because because the next set of videos what we're going to do is we're going to be taking the binaries the firmware that we extract out of the system and actually hunt and reverse engineer those binaries looking for vulnerabilities looking to understand how the system works but the first step is extracting off so this is taking taking a while so I'm wondering if this is a larger uh partition here MTD block 2 all right so just for the sake of having this go quickly I'm going to cancel out of this and I'm just going to for this video since I know that this has got good stuff on it here I'm going to do MTD block 18 so we'll do that one and we're going to we're we're going to let this one complete uh so here when I control seed out of this it told me that it had copied quite a bit of data from that MTD block 2 so we are going to allow this 181 to complete um but in the meantime I'm G to oh there we go cool that finished all right so there we go empty block 18 and so now I'm going to is this is syn not running okay I just hope that the data actually is copied over um all right so now I'm going to remove my hard drive and I'm going to come over to my desktop machine and we're going to this block we got a bunch of these diss come on it should I think I think in my system it's going to show up as s come on man there we go okay so let's make D Mount P sudo Mount Dev [Music] s dc1 no it doesn't like it all right block I wonder if like the system like remounted it or something like that uh or it re uh formatted the file system that's that's what I'm wondering is if is going on right now so let's see what synchronized cache failed okay L's block yeah it's still not showing up let me try that again let see your nice cash failed okay my drive is like clearly failing somehow that's awesome but anyway you get the idea when your USB device is not failing you can uh you can pull the data off that way we're going to move on to our second method so if uh if you're USB device also uh craps the bed you you can fall back to doing it over the network so that's what we are going to demonstrate right now all right make the device shell big again so for this one what we're going to do is we're going to use netcat so netcat or NC is also not in this system but have no fear we also have a static arm binary for the netcat program and so right here is that binary I'm going copy that link and then I'm going to go to Temp like I did last time W get what I have to do like no check certificate there we go all right so okay we downloaded that just fine chamod 755 so now our netc cap program is executable just wants to do DH there we go so now we have netcat running or or we we have that binary running just fine on the router and so now what we're going to do is we're going to use that to extract the firmware out to our machine and so we're going to actually run netcat on both sides so over here in our demo 2 folder we are going to prepare The netcat Listener so what we're gonna do is we're g to type netcat um we do L for listen uh I just kind of do this instinctively it's like I I do a bunch of these flags some of I don't even know what they mean um but one two three four so we're going to listen on Port one two 3 four right and so what I'm going to do then is uh so first starters actually I'll show you I'll show you like the way to transfer data and then how we're actually going to transfer the firmware because that's going to be a little bit different so let's just call this like test.txt and then I'm I'm going to listen so it's going to wait for a connection and then when it receives a connection it's going to write all the data it gets sent over that TCP connection into the file test.txt so from here I can do this and I can say 1010 10.2 which is my desktop machine and my test Network here and 1 2 3 4 and now I can type hello world and now I'll controlc out of that and now over on my computer that data got transferred right now with a binary file we have to be careful not to just uh Chuck it like into standard in or standard out and stuff like that because it can do funky things to your terminal so what we're going to do is we're actually going to compress it then send it over the O over the tunnel over over the socket and then on the other side we're going to decompress the file and write the firmware so the full command to do that is going to be we're going to use DD like we did before so now we're going to actually combine uh these two things so we're going to do the first part like we did so Dev MTD block zero and we're going to also specify that block size like we did last time but what we're not going to do is we're not going to specify the out file because instead of out having an out file we're going to have it go over standard out to standard in of the next program in line with a pipe with the pipe character and then what we can do is we can use netcat to send that over the network uh oh oh no I forgot first we need to compress the file so all we have to do is do gzip d that brings it from Stand standard in and now we just copy this part of this Command right there and then on this side we're going to add a layer and that's going to be G unzip and this time we'll give the file a more meaningful name we'll call it MTD block. bin and so we will run that one first we'll run this and then after it does this we have to control C out of this program See it'll look like they're both hanging and like they still have work to do but after DD prints this out that's how you know the DD is done on the device side of the transfer and then I can hit contrl C and once I hit contrl C on the device the other side will uh it will be done and now we can go and we can you know see that this file was actually transferred here and we can confirm actually that the transfer uh was exactly correct so this is kind of cool a cool sanity check we can do so here is that device node and we can actually do an md5 sum of that device node it's like typing things in my console all right so there is the md5 hash of that entire partition so the cool thing that we can do is we can go do an md5 sum of that exact bin file here and we can see the match so we know there was no uh error in the transmission or there's no encoding issues or bites that got messed up uh while we were transferring that firm Ware and so now obviously we can go and we can do things like running binw walk on our firmware okay so maybe there's some lzma compress data we can run strings on this partition okay cool there's some like board Flags um some VLAN information this is potentially like bootloader configuration stuff yeah it's talking about memory decompressing this could be a kernel this could be like kernel config stuff as well so let's go ahead and do that partition that is a little bit more interesting this MTD block 18 so we'll just go back change this to working in a terminal like this is is not fun all right um I'm G to type it over in over here and then I'll paste it there we go and then I have to get this side ready to be Mt block 18 so start a listener first we'll start this uh if we remember last time it took just a little bit of time but not too long and we'll wait around for that that file to transfer and then we're going to get ready on the other side to run binwalk because I'm hoping that here binwalk will actually be able to extract some of those file systems out of there um it's interesting how we see like potentially a couple different file systems being mounted from there not quite sure how that works okay so again DD came back with its ending so we control C on the device side there um we can actually do our sanity check again which is kind of cool oh it's going to take longer because it basically like if you're doing an md5 of that every part of that partition it has to if you think about it it's going to take longer the bigger the file is because it has to read every bite of that file to compute the hash um there it is md5 some and now we're going to do it on block 18 interesting okay don't know why don't know why that is all right is the file size file size look good that's that's so interesting all right let's run the Run I mean well no there's no reason the md5 some would be wrong I mean maybe on this side it might be wrong if like just something was not reliable but that that's surprising whoa we got a different md5 some on this side okay I don't know what that means oh oh oh okay why is it different why would that partition be different well uh I just realized because this is a writable file system right like this system is running and it's probably writing data as we speak into these two locations they're writable and so the contents are going to change right so H H how you decide to do that how you decide to do that firmware extraction usually I'll just pull it at at a at a point in time and use that as my starting point for my analysis um yeah that's just usually how that goes but now let's bring this Center Stage okay going to run binwalk on this thing okay we have a file system and that and that and and that file system type again matches what we're seeing from the mount command on the other side which is which is really great okay so now we can run binwalk with the Das e flag for extraction so there it will attempt to extract that file system okay yeah yeah it's just telling me it's going to change some Sim links uh and I believe that's because there was a security issue reported in binwalk uh where you could you could trick people with like maliciously created firmware files um okay so let's go look in here it pulled out this JFS ffs2 file system and here we get uh this data extracted and again if this looks familiar to me it's it's I mean it's going to be in one of these two things uh no okay this one so there you can see um those same those same files so we successfully extracted that file system and now we can perform all this analysis with all the tools with a full Suite of firmware analysis tools reverse engineering tools we don't have to be limited to the Shell we have a root shell right but as you can see from us having to pull in static binaries we don't have all the tools we would want to perform the analysis we need to perform in this shell on the device itself that's why it's really nice to pull all that data off on onto our full featured Linux desktop or whatever operating system of your choice to perform our firmware analysis so uh thank you for watching this video and the next ones we're going to actually take a look at this firmware and do some reverse engineering and maybe try to recreate some of the publicly reported vulnerabilities in this Netgear router thank you and have a good day

Info

Channel: Matt Brown

Views: 4,682

Rating: undefined out of 5

Keywords:

Id: wvrM0F7K1hY

Channel Id: undefined

Length: 30min 27sec (1827 seconds)

Published: Wed Apr 24 2024