AdSense

Tuesday, May 2, 2017

5 - Analyzing, emulating and searching for Telnet credentials at a D-LINK router firmware



ANALYZING D-LINK ROUTER FIRMWARE AND SEARCHING FOR TELNET CREDENTIALS

- Layout for this exercise:




1 - Downloading the firmware

- The firmware corresponding to the router D-LINK DIR-300 is downloaded from the support web page: 








- Once the firmware is downloaded:




2 - Analyzing the firmware

- Binwalk helps to analyze the firmware. For instance, the firmware is intended to be run under a MIPS architecture. Also, it is compressed with the LZMA algorithm:




 - The section of the firmware where the squashfs filesystem is located starts at 917632:




- The command dd converts the file skipping all the content up where the squashfs section starts, creating a new file called fylesystem_dlink:




- The new file:



- It is a data file type:





- Applying again binwalk, we check that now the content of the new file consists of only the squashfs section:




3 - Extracting the root file system

- Extracting the firmware with binwalk -e:




- Some files and directories are created, including the root file system at folder squashfs-root:




- The whole root file system is available at squashfs-root:





4 - Searching for the Telnet credentials

- Let's try to find any string related with the Telnet protocol using grep (-i=ignoring case distinctions, -R=reading recursively  -n=line numbering  ):






- Line number 8 inside /etc/scripts/misc/telnetd.sh yields interesting information about the Telnet credentials:




- Going to the file /etc/scripts/misc/telnetd.sh:







- While username (-u) is Alphanetworks, the password seems to be stored at the variable $image_sign:




- Also, the file says where the value of the variable $image_sign is stored:




- Eventually the password is available, opening /etc/config/image_sign:




- By the way, the password can be detected with the command hexdump (see first line):
 






- Also, using the command strings, the first string corresponds to the Telnet password:






5 - Emulating the firmware with FAT (Firmware Analysis Toolkit)

- Launching the script ./fat.py, and introducing the name of the firmware (dir300b_v2.05) and the brand DLINK:




- The password "firmadyne" is entered for going ahead with the emulation:






- The final step for setting the network interface lasts for exactly 60 seconds, time allotted to the firmware to boot up:





- Finally, browsing to 192.168.0.1 the firmware is available as if it were a real physical device:





- The emulation can be destroyed just pressing any key: