IoT Hacking - Netgear AC1750 NightHawk - UART Root Shell

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up everybody this is Matt Brown today we're going to do another our Hardware hacking video I've got my hands on another Netgear router this is the Netgear Nighthawk ac1750 Wi-Fi router got this uh also uh you know in from an East situation and so we are going to take this over to the desk and give a completely uncut first take at my device I have not opened this device up yet so we're going to see my First Reactions when I open up a device when I'm trying to do some Hardware hacking and get at the software try to find some vulnerabilities on this system so let's take that over and switch over to the desk camera so here we go I've got the router here um one thing that I do not have uh because it was just did not come with this device I do not have a power supply and I have some other power supplies that would fit this and that would be 12 volts according to uh maybe get that Focus here so it says 12 volts 2 5 amps I do not have a cord that provides that so we are going to have to use our power supply and uh that's up here on the bench it's going to be hard to put in the camera but I'm going to set up my bench power supply and provide voltage so to do that we're going to have to get into this just to even power this device on and so we are going to go ahead and do that so just gonna take care our first screw I'm guessing there are other screws uh common places to find other screws are going to be under these things or sometimes you feel underneath these stickers they will put the stickers over top of a screw I don't feel anything there so let me take these off and there we go found a found another screw there just going to take all these off because I'm guessing there's another one and the last one sweet and just GNA guess that's the same type of screw awesome yeah and like I said sometimes you'll see see them like hi to screw uh underneath these stickers which you can usually feel the the hole the screw hole I just poking around at it but doesn't look like that's the case on this device all right we're see if this comes apart easily or if I have to pry at anything he there we go was easy okay and uh this is looking really excellent already and uh wow they even left the pins on so uh just my initial first look inside this router I see we'll try to get this in Focus here that there are these debug pins with the connector you know like like with pins in the through hole slots all ready to go and you see v g t and R so if you've ever done any kind of Hardware hacking you will guess right away that V is going to stand for voltage G is going to stand for ground and then the T and the r t is going to be TX for transmit and then R is going to going to be RX for the receive and so these four uh which really uh we're not going to be messing with the voltage pin uh right here so I have a cable ready to go on my desk that I'm going to be able to connect to these three pins wow I was expecting this to be uh a lot harder than this oh yes I but but before I do that before any of that works we are going to need to power the device on and I need to get connected up uh soldered up to this power supply here so to do that wondering if I can like get the rest of this circuit board out of this enclosure oh it's not going to want to do that because these antennas yeah everything else would come out oh okay well at least that gets that piece of plastic out of my [Music] way and let's see what we got here yeah because ultimately I want to connect up to these two points here so first thing I'm going to do is just grab a multimeter and throw it into like it's uh continuity testing mode and so when I connect two points that are connected on the board it will give me an audible sound so first thing you need to do is find ground uh these shields are almost always connected to ground so I'll Touch One Touch the other I hear that sound that means that these are grounded and so now I can hold here and now I've got this connector here with uh two sides to it you can see there's there's one uh terminal here and another one on the side and so what I'm going to do is I'm going to hold to what I know is ground I'm going to touch the back don't hear anything touch the side hear something so now I know that the side try to get this like camera to ref Focus down on the desk there we go so now I know that the side is ground that means that this back part is going to be voltage and so we are going to get some wire that I have over here just laying around uh you know what yeah we'll just we're just going to take this we're just going to cut it in half this doesn't have to be pretty and then I'm going to make one side my ground the other side uh the voltage line the positive terminal so we're just G these Waters off here all right yeah and like if I could remove this component that would let me get at all that stuff easil more easily but I'm probably just G to solder D the wire directly onto that component again it doesn't need to be super stable I'm going to be uh keeping this fairly stationary on my desk so now we got soldering iron heated to wow I'm all the way up at 790 okay I don't I don't usually go that high uh I was having some frustrations with something and some solder and we are going to try have to burn this WiFi thing here you know what let's uh this will be better to see under the microscope for you all let's swap to the microscope camera turn my light on and we will get this to where we can see that connector right there get Focus best we can all right so you can see this one a lot better and then there's and then there's one here so we got ground and then the positive terminal so going to again this doesn't have to be pretty I'm going to connect attempt to heat both of these up turn on my air filter to try to take some of that away this is going to be a terrible terrible s of job but it's going to work now uh I just have to strip this other wire actually don't need that much wire okay so this is going to go that view this is going to connect up right here and this since this is ground ground is connected to a lot more thermal Mass on this board which is why it's always going to take bit more time to heat up hold that solder cool there we go okay back to our desk cam here and now we should okay so now we're going to sanity check uh that this guy right here is connected to ground it is and then we're going to check that this is not connected to ground so I didn't didn't screw anything up there all right so now uh again it's kind of hard to show this but over on my desk I have a bench power supply going to turn that on and going to connect up uh again our ground lines here and then the positive on Terminal just make sure those are not like bridging or touching anything and then on my power supply going to configure it for 12 volts and then I can even give it the ampage which I actually need to do blow that all right there we go do 12 Vol three okay we are going to uh just turn this on and then what we're going to do is I'm gonna have my multimeter ready right here and we're going to put it in voltage mode now and we're going to test uh these these pins here uh okay so before I powered on again we these have already been really nicely labeled for us uh so I it's really hard to see uh from the camera what I'm doing but I'll just kind of narrate so we have the voltage ground uh transmit receive so we believe right vgt is labeled on our board so I'm going to just do a quick sanity check that the G is actually ground it is and then that none of the other ones are connected to ground they are not so now what I'm going to do is I'm going to switch into voltage mode and now we're going to begin to examine the voltages of the T and the r and I'm going to I'm going to connect up to the T because I want to see if it's transmitting data if that is the transmit pin we're going to see this voltage uh kind of oscillate between most likely 3.3 volts and zero and it's gonna it's gonna it's gonna gonna jump around so I'm going to prepare you know what do so I can connect just sneak this uh lead in there so I only have to hold one hand so my other hand holding on my power supply and I'm just going to hold on the t pin on the board and then we're going to turn the device on see go to 3.3 volts and there there you go so you see you saw those little bit of oscillations there um okay we're seeing some light slide up on the circuit board I'm looking to see if I see any more uh jumps back and forth sometimes you won't see it but that doesn't NE okay that was because I took my that's because I moved my hand but yeah we definitely saw that jump which means that again this is the transmit pin it's clearly labeled so uh with that I'm going to power off the device and now that so now what we're going to do is we're going to actually try to interact with what we believe to be a UR terminal on this device so to do that I've got my USB uh 232r 3.3 volt cable here so all this cable does it's got USB and then on the other side are these like it's like six wires but we only need three of them we only need ground transmit and receive to be hooked up so again and here we don't even have to guess we don't even have to like make a hypothesis and guess and check right because it's just labeled it's uh this is this really is easy modee right here and so I just need to get one more wire that is female to female um all right I'll pull one off of else okay so uh we we can look this up on the computer later but I just have the pin out of this memorized so on this cable the yellow wire is our receive our it's our USB receive so I need to connect the board's transmit to there and then vice versa so orange is going to be the transmit which needs to be connected to the board's receive pin and then ground just connects to ground oh actually no I was wrong I need male female I get a milon of those wires here we go okay so connecting that up here's ground again it's hard to see but just believe me um and then we're going to so yellow is the USB size receive and so we're going to connect to that to the transmit pin on the board vice versa the receive pin on the board so now we have that rigged up to our USB cord I'm plug into my USB hub it's over here on the desk okay it's plugged in now come over to our desk so let's take a quick look at D message because when I plugged in that chord just now uh you can see here it registered this new USB device and it says you know hey there's this USB serial device attached to ttyusb0 so now what we can do is use a terminal you know emulator program like picocom and I'm just going to pick what is the most common default B rate this is the data rate and I have no way of knowing what this is but the most common B rate for like a Linux iot device is this and if I get this and I don't get like good data then I might have to fall back to using something like a logic analyzer and looking at you know the time difference between you know the pins Going H high and low and I might have to make a determination of like what the like like how frequently it's transmitting um or what you can do is just guess all the common B rates um and so that's what I do more often is just guess common bar right so here we go t usb0 I'm hit that and now I'm going to go back and I'm just going to uh Power on the device and we can see that we definitely guessed correctly uh for the B rate because we are getting like asky data here in this uh in this terminal emulator so this is really interesting I'm going to scroll back up and just see like right from the start so right from the start it says turn ready digital Core Power voltage set to blah some other stuff never I've never seen something like this before at the at the at the start um guessing this is just some kind of debug information um all right uh blah blah blah for Fox con router okay that's interesting maybe this maybe neier uses foxcon right Manufacturing Company manufacturers iPhones uh maybe maybe that's what that is uh talking about here who knows so okay and so it was definitely like oh interesting so a lot of these devices uh when you when you really jump into their boot loaders they will have uh an option to like load firmware over the network where it'll create a network interface and this is usually for development purposes and it almost looks like this like this this hung around in the Bootloader for a while like waiting for that to like time out almost because here it says closing Network so that's really fascinating so if we could get this to boot up and like interact with it really fast uh on this like static IP but here we go okay so say say console enabled boot console disabled that's all interesting so we're gonna so so we we can read all this interesting stuff later um but what I'm interested is oh holy crap okay guys they they still haven't learned their lesson so uh if you don't understand why I'm reacting this way it's because I am not right now being prompted with a login like hey give us your username and password no instead I'm just getting uh the the hashtag symbol which uh in Linux typically means that you have a root shell not a standard user account you have a root shell but I mean this is iot everything run is root um yeah okay uid admin okay is like my username did I just like not remember the right okay anyway I'm clearly root which they like apparently renamed to admin yeah they renamed to admin but and and and why I'm saying they renamed it to admin is because um because here this is uid zero in Linux uid zero user user ID zero is root you're the administrator you have full control of the system they just dropped us a root shell uh through this interface without without like making me you know dump the firmware you know crack a root password hash no they're just they're just giving me a Shell so this is super cool um what do we got here hit enter up agent release okay so something I'm I'm very interested to see if I can find and I'm sure it like it's maybe it got printed in this console output or maybe there's a config file somewhere that I can find is the firmware version so I did a little bit of Googling on like the Nighthawk now the Nighthawk is like a series of Netgear routers and there are some known like exploits some known cves for certain firmware versions obviously they patched them you can go and read about it on netgear's website but uh but I think it requires a manual update right and who who actually goes to their Wi-Fi routers like web page every now and then to check if there is a security update that they have to manually apply to their router right uh monit day iot devices they they do auto updates because they realize no one is going to do that so um anyway let's let's do some other basic stuff since I've just been handed this awesome root shell so uh what are some of the first things that I do when I'm analyzing an iot device and I get a root shell like this okay this is really interesting all this output so I have not yet plugged this into my network at all which you can see from some of these out but it says ping bad address so it's clearly trying to Ping dubdub dub. nar.com most likely as like a hey am I am I online am I connected to the internet kind of check right um and probably you you'll see this on some Wi-Fi routers is that there's like these LED lights and oftentimes it'll be like an LED light for like you have inter your internet is working right so potentially the way they're performing that check under the hood is by issuing a ping command to dubdub dub. netgear.com uh don't know that but have to dig into that more um but so the first going to do on a system like this is do p of course it's like the busy box PS PS is it's going to list all the running processes on the system um okay so we see this x agent program I I think that there's a lot of uh meat there that that that yeah knowing a little bit about these devices that is a very core binary that does a lot of stuff on these systems um this is very interesting okay it doesn't give me like a path to where this AWS Json thing is um and obviously I'm going to review this video since this is totally live my first view at this um oh yeah actually actually let's let's let's find something so when I said this device is from ew I mean it was from a friend of mine so let's see if we can find his uh Wi-Fi password okay so PS uh so open- Source this is an open source Linux device right it's using a lot of Open Source technology right uh and so most likely what they're using to host the AP is host APD it's open source Linux wi-fi router program so let's see if we can find host APD running anywhere all right WPS monitor there's all there's all sorts of interesting stuff interesting processes running on this system there there could be a lot to look at here but okay let me just let me just try to grab for post an type a oh us WPA supplicant you know what it might not start the Wi-Fi until it detects that it has internet so there's there's some legitimacy to that so let me let me let me let me check that really fast let me see if I notice the Wi-Fi broadcasting oh no no it no the Wi-Fi is working okay so let's see where would the the wifi creds be that's what we're looking for looking for these these awesome Wi-Fi creds gosh there's just so much interesting stuff here te wait tet enabled there's just I don't know where to start a lot of interesting stuff so box listening TCP yeah give me the program name no it doesn't let me do that come on all right I don't I don't actually see something listening on like Port 22 or what forget about that let's go to ET see see if there's any like common like config files that you find in Etsy oh actually another thing that I do first so is I run come on type it wrong all right the mount command why this is important on an embedded Linux device as opposed to like some other like Linux like a standard like Linux server Linux desktop anything like that right the reason why I want to run Mount and I want to understand what uh the what the different file systems look like on the device is because it can actually tell me where something like a password will live and we can see that on this device so here we can see that the root file system so the main file system that's going to have all your common things right the the like for example the place where like the ls program the mount program itself where do those live well they're going to live on the root file system right where the bulk of the Linux utilities are going to live that is on a squash FS file system squash FS is a very common file system on embedded devices and it is by Design in the kernel it is a readon file system if you try to run the mount with the remount flag if you try to like remount this file syst as read write to make it writable as well it will silently or not so silently fail it like it does not work it is a readon file system by Design which means that a thing like a Wi-Fi password that a user configures and can change over time that is obviously not going to be in this file system well that means that there's there got to be something else in here that is writable and is where data like that can be stored so that's what we're going to look at so all of these file systems that are that are read right are what I'm looking for and I'm not looking for at least at this time like like temporary file systems now it's possible that like it could be stored encrypted and then decrypted at runtime into those temporary file systems so it's not that it can't live there the something like a password but for now what I want to look is these three file systems these catch my eye as a place where data like that could live okay so temp media name what do we got here guys okay Bit Defender I've heard of that name before that's like I feel like that's some like iot security thing but okay uh there's a file called device info okay okay nothing nothing crazy so far there um known devices what's that nothing okay device table stage data okay this is some interesting interesting stuff uh loging Cloud okay nothing crazy yet there let's just look at all the files what the heck I don't know what this Bit Defender crap is router Analytics okay here's this like what is this oh that's a binary don't do that really what is this fre router analytics thing find not file gu I Pub okay okay okay all right um not looking like that is promising okay this is really interesting like open bpn wait a minute all right there's there's there I mean there's like a there there is like a key and stuff like that here um okay can't find anything like an open view there there is a yeah again there's like a client key uh yeah I mean I mean it looks like there may be some openvpn creds who knows what they're actually being used for um I'm not going to like cap them out into case they are sensitive and don't have to censor that data so let's go back let's go back to the last thing here in Mount is okay called SL Mount there it's mounted onto SL Mount um okay update database update firmware DB md5 okay circle. DB interesting shares user okay shares user ches us your B interesting um yes these are definitely some programs and some kind wait a minute okay I'm wondering Okay so I I I'm wondering I have a hypothesis and I need to remember how to test this and I totally don't remember hypothesis uh is that the router is built upon open wrt or DDWRT right like those open source wifi router systems so to check that I would want to do open wrt uh uh okay there's this like config tool there's something where in like Ram it can store configuration settings and yes I want to say it's this no it's not it's like something for like the open EnV Ram tool yeah just call oh yeah this is it okay that's totally it eny Ram get show show okay here we go all right so I'm probably gonna have to censor all that out since that scrolled by really fast but you could probably see something from there okay uh but what we're going to grab for is like show r case insensitive password okay so this is definitely where some of these configurations settings are stored I don't know if these are let's say SS okay there is a bunch of SSID information and yep yeah yeah yeah okay so uh this is all going to be censored in the video because uh we have definitely found the yeah yeah some of the configuration for one of the ssids that is not like the default right like it is definitely uh yeah my my my my friends uh Wi-Fi information who uh was kind enough to give me this router after he was done with it so um okay so that's SS ID but isn't there like a password anyway uh but you can see here uh that we were very quickly able to like open up this router that we just got uh you know out of out of E-Waste right without factory resetting this stuff to obtain you know SS ID password which I mean I mean a bunch of people reuse those when you get a new Wi-Fi router right so that's really interesting I think there's a bunch of stuff that is listening uh I forget doesn't have the P flag go this is like the version of net stat that for some reason just like takes forever but there's a bunch of stuff run there's a bunch of processes running on this thing there are so many ports like open ports on this thing that uh yeah some of the cves I'm sure that I saw roughly pertaining to like a bunch of different of the of the Nighthawk routers I'm sure this device is vulnerable to it I think we'll do some more videos where maybe we actually you know extract some of the binaries off of this device and we start to analyze those binaries in gidra and look for the root cause of some of those vulnerabilities I think that'd be fun this is just a first look a raw take at what I do when I take a device onto my desk and I'm I say where do you start well this is where I start uh usually I don't get a root shell this fast but it's always nice when you get a root shell right off the bat and they label the pins so nicely uh it's great but uh without anything more in this video gonna say thank you for watching and please like comment and subscribe been getting some great feedback in the comment section so keep that up tell me what devices you'd want me to do next uh really appreciate all your feedback so thank you have a good day

Info

Channel: Matt Brown

Views: 6,730

Rating: undefined out of 5

Keywords:

Id: 7iuwY3hIcHw

Channel Id: undefined

Length: 41min 22sec (2482 seconds)

Published: Mon Apr 22 2024