Tuesday, May 2, 2017

5 - Analyzing, emulating and searching for Telnet credentials at a D-LINK router firmware


- Layout for this exercise:

1 - Downloading the firmware

- The firmware corresponding to the router D-LINK DIR-300 is downloaded from the support web page: 

- Once the firmware is downloaded:

2 - Analyzing the firmware

- Binwalk helps to analyze the firmware. For instance, the firmware is intended to be run under a MIPS architecture. Also, it is compressed with the LZMA algorithm:

 - The section of the firmware where the squashfs filesystem is located starts at 917632:

- The command dd converts the file skipping all the content up where the squashfs section starts, creating a new file called fylesystem_dlink:

- The new file:

- It is a data file type:

- Applying again binwalk, we check that now the content of the new file consists of only the squashfs section:

3 - Extracting the root file system

- Extracting the firmware with binwalk -e:

- Some files and directories are created, including the root file system at folder squashfs-root:

- The whole root file system is available at squashfs-root:

4 - Searching for the Telnet credentials

- Let's try to find any string related with the Telnet protocol using grep (-i=ignoring case distinctions, -R=reading recursively  -n=line numbering  ):

- Line number 8 inside /etc/scripts/misc/telnetd.sh yields interesting information about the Telnet credentials:

- Going to the file /etc/scripts/misc/telnetd.sh:

- While username (-u) is Alphanetworks, the password seems to be stored at the variable $image_sign:

- Also, the file says where the value of the variable $image_sign is stored:

- Eventually the password is available, opening /etc/config/image_sign:

- By the way, the password can be detected with the command hexdump (see first line):

- Also, using the command strings, the first string corresponds to the Telnet password:

5 - Emulating the firmware with FAT (Firmware Analysis Toolkit)

- Launching the script ./fat.py, and introducing the name of the firmware (dir300b_v2.05) and the brand DLINK:

- The password "firmadyne" is entered for going ahead with the emulation:

- The final step for setting the network interface lasts for exactly 60 seconds, time allotted to the firmware to boot up:

- Finally, browsing to the firmware is available as if it were a real physical device:

- The emulation can be destroyed just pressing any key: