Class 8 Lab 4 ‐ Analyzing Firmware - Justin-Boyd/CIT-Class GitHub Wiki

Task 1: Prepare the Environment

Step 1

  • Start your pfSense machine.

Step 2

  • Start your Ubuntu machine, right-click anywhere on the desktop, select New Folder, and name it Firmware_Forensics.

Step 3

  • Double-click Firmware_Forensics to open it.

Step 4

  • Drag and drop the openwrt-18.06.1-armvirt-32-zImage-initramfs firmware file into the Firmware_Forensics folder on your Ubuntu machine.

Step 5

  • Start your Ubuntu machine, click Activities, search for the terminal, and open it.

Step 6

  • QEMU is an open-source tool used for hardware virtualization. Its installation includes several packages, which will be installed in the following steps beginning with the core package, QEMU.
  • Run the following command:
sudo apt install qemu -y

Step 7

  • To install the full system emulation binaries, run
sudo apt install qemu-system -y

Step 8

  • To install arm system emulation binaries, run
sudo apt install qemu-system-arm -y

Step 9

  • To install common system emulation binaries, run
sudo apt install qemu-system-common -y

Step 10

  • To install MIPS system emulation binaries, run
sudo apt install qemu-system-mips -y

Step 11

  • To install PPC system emulation binaries, run
sudo apt install qemu-system-ppc -y

Step 12

  • To install user mode emulation binaries, run
sudo apt install qemu-user -y

Step 13

  • To install static user mode emulation binaries, run
sudo apt install qemu-user-static -y

Step 14

  • To install QEMU utilities, run
sudo apt install qemu-utils -y

Step 15

  • Install Binwalk using
sudo apt install -y binwalk

Task 2: Analyze and Emulate the Firmware

Step 1

  • In the terminal, navigate to the firmware folder on your desktop using
cd Desktop/Firmware_Forensics/

Step 2

  • Use Binwalk to identify the firmware file’s image type by running the binwalk command without flags; for example, binwalk openwrt-18.06.1-armvirt-32- zImage-initramfs. This will indicate that it is a Linux kernel image.

Step 3

  • Check the file's entropy using the following command:
binwalk -E openwrt-18.06.1-armvirt-32-zImage-initramfs

Step 4

  • For comparison, check the entropy of the ls command binary by running
binwalk -E /bin/ls

Step 5

  • Use the strings tool to extract strings from the file by running
strings -n 10 <image_file>
  • Note: Part of the extracted string is just a collection of random characters.

Step 6

  • Run the strings command on the ls command binary file:
strings /bin/ls
  • Note: The output has a different look.

Step 7

  • Based on the results regarding the firmware file in the previous steps, is it compressed/encrypted or not?
Answer 
Based on the entropy measurement and the output of the strings command, it can be assumed that the file is encrypted or compressed.

Step 8

  • Extract the files using the following command:
sudo binwalk -Me openwrt-18.06.1-armvirt-32-zImage-initramfs
  • Note: -m recursively scans extracted files, and -e automatically extracts known file types.

Step 9

  • Use the following command to enter the extracted directory and then the _3D5C extracted directory.
cd _openwrt-18.06.1-armvirt-32-zImageinitramfs.extracted/_3D5C.extracted/

Step 10

  • Run ls to see the contents of the folder. You would typically see a file system hierarchy, but in the example below you can see the entire file system in a single directory.

Step 11

  • Use the following commands to emulate the previously downloaded firmware:
cd ~/Desktop/Firmware_Forensics/
 qemu-system-arm -M virt-2.9 \
 -kernel arm_image\
 -no-reboot -nographic \
 -device virtio-net-pci \
 -netdev user,id=net1,hostfwd=tcp::8080-:80 -device virtio-netpci,netdev=net1 \
 -append "root=/dev/vda"
  • The commands emulate the firmware with network connection and port forwarding. Port forwarding publishes the emulated NIC by reaching port 80 from the Linux machine via port 8080.

Step 12

  • After one minute, press Enter and you will reach the firmware’s terminal.

Step 13

  • In the firmware’s shell, run the ip a command.

Step 14

  • To discover the root user’s password, you can print the content of the shadow file using cat /etc/shadow. It seems that the root user does not have a password because the second field in the shadow is empty.

Step 15

  • Click the Firefox icon in the taskbar.

Step 16

  • Browse to localhost via port 8080 and note that the connection is blocked.

Step 17

  • In the emulation environment, stop the firewall daemon from running. To access the website, use the command
/etc/init.d/firewall stop

Step 18

  • Browse to localhost via port 8080 again, click Login, and enter the username root without a password.

Step 19

  • Click Go to password configuration…, enter a new password, and leave the SSH configuration as is.

Step 20

  • Scroll down and click Save & Apply.

Step 21

  • It may take up to 30 seconds to apply the new settings.

Step 22

  • In the device’s terminal, run cat /etc/shadow again and verify that you can see the root user’s password.
⚠️ **GitHub.com Fallback** ⚠️