ANALYZING D-LINK ROUTER FIRMWARE AND SEARCHING FOR TELNET CREDENTIALS
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGGhJ8RGkCFKiB4_3weC5kH3MC296MM3VzIOPUCu6imjXO0wpWxDi7FeycdI7ozcghN2tlLX2Kptn1vbHnUQv7KdIX3Sk4QE7vKl39kaeSCo6BQHFAyXsBR1to-4f0GCUsV_zrW3imSVZ-/s400/layout.jpg)
1 - Downloading the firmware
- The firmware corresponding to the router D-LINK DIR-300 is downloaded from the support web page:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgFSSF8-H4ynDJKXeq2Rmu3K_I9IKoTrmDNT7F0wEdZmoZhYt4RBJ3L1zfvjFcVSHMrUCBapGhUR58plDBLU4ODV2WTma5do6mkOuN84kjRlq5hlEUuG9wLQLBIISpXEkKCkHdYz8SWNfA/s640/screenshot.1.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOQffotffvZCZ1qSTKEAJLCb0eewEmfXuqarTZ-mddr0F346Pa30X4Xy0dZrS25wdSkB616hiyHd9qcfTToao5pWseJ6WToZ_Z2iw6geWLJ9IpAkIm8PcfKPHaP5QanbGLGo-GYgE-6MIK/s1600/screenshot.2.jpg)
- Once the firmware is downloaded:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5by-CGGZmDwPHHMOZU73ucPgbNnXGCNmyz9R_Uo0DGA22RpNLzN3XufEc9aWiqrkFqkuS4XzM3WxYSGDwmKH00dDK1ozpIVSzl84Pg1HpHCYKiumA9vcNFrLOsoajkZBJpKoXswDY4W6C/s1600/screenshot.3.jpg)
2 - Analyzing the firmware
- Binwalk helps to analyze the firmware. For instance, the firmware is intended to be run under a MIPS architecture. Also, it is compressed with the LZMA algorithm:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmRaEhnCo-9sW1_LZ_7plkOMbiGLYTWnDl1orQuoQQwVyYijZUmXiJysHJzJMt0i8Rj_h4hFME_iuwlAY7Fmq_BnhVN_C20PqGpc70rDTjYezvv0u8EGVlqh3Fnc8Ppuczr3Z4Ntr2RJzj/s1600/screenshot.10.jpg)
- The section of the firmware where the squashfs filesystem is located starts at 917632:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcKzp4Ca-WrjPlGjpiJlmzm3uwMWZIk3zpG5niFLMoI25M5suY8OI5oSoneGLvz39KKghXJ4GE_NmsqFXJf_4FRu81Y9wmZKcdSgVbzxijNPv-sm19L70hhMhrkPqw4__tt-fnGBoMTXmt/s1600/screenshot.11.jpg)
- The command dd converts the file skipping all the content up where the squashfs section starts, creating a new file called fylesystem_dlink:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5vhwKVQV9nNN5FTUUKElRjL7MPZ2lq_I-znqMbrFmCkILFtQFn8GoZUfnX5iXsoLNEPJ5P7-Ku53sySsiXSFG3ot7EAkPaw_Gr4gj8lIhJJbtHE1bqrBnrQyc-gAsti79HUhqjkChXWHw/s1600/screenshot.12.jpg)
- The new file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3ICYZg7l7FCBHVFm3e222pTCLjcnSnPaIDMPP4nGt8nrkLpS9d0404PEP2ZakLk84oe8AQmBNPvyzfH7KPMTomYklfrbzmhU8SegD9AD93J7ORcRqCp-JwVtsQPaqe7o2QJeL7f31HpyA/s1600/screenshot.13.jpg)
- It is a data file type:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX2nHtNa6d-Sfy1Rgr72kk_Dm4OBCC-No72t6FcJRa6CCHi7n9tI7c04oKdxO3-jm2eg0Ji-RBl-MC4pr8iFlbZkwD65YLYEOzI_3vyjSbC1baWjbEvDtufokzxMK85U4gIEGAVA18nfR5/s1600/screenshot.14.jpg)
- Applying again binwalk, we check that now the content of the new file consists of only the squashfs section:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKcQFAZOq3jWdXkAFrHtxUuMJYc5WySmvdzJgjnQtAs3jasOVnm0ZJLmpzMKEP19egh-Um6aJFzJ7E4jULjTooBaMeE0W0xRE24hfjuT21Y8tLxUoE-4ivtG-t2sTghRsTuS3EBsT0tSoR/s1600/screenshot.15.jpg)
3 - Extracting the root file system
- Extracting the firmware with binwalk -e:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8hm4QSuBrb3rBwDjBCXoEji-tVEMaHLbgWoJz2yhWk3Yb46eBqzbfi0VIj8LYCWpBrHj-Dpp703ugz6O-LI8KLgB-Z3lv8YeHhDBChxrFTMukFjMO6q1qB58ceN98IddG6PYCDGmu-sse/s1600/screenshot.16.jpg)
- Some files and directories are created, including the root file system at folder squashfs-root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiq5tHcWsV5GZo7pYCXpZAGJKnrqXGVRBY9TUsnMTrePnDOcGRVdK2pR-A0jomV1DktYLCdN1GrWxGgY6K4f6jxQ-ezWRh5B8fIedsg4GEa_g21o4yReVsWRQsA-obsUnGKun2VNh0ToFs/s1600/screenshot.18.jpg)
- The whole root file system is available at squashfs-root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhB-yug27HDyz4YjKHVvFkxQvMZBHXGxVORDm0n4YQbiC6xCg0-GN77H59EzRKz8xNgEzKYNpikaOmDLnXw4V3gLTf9ZjY1mXt3w0Xgrs2wYe3GnWtu6PqIUQCB1TEM_vA3NUtoFgkrb0PB/s1600/screenshot.19.jpg)
4 - Searching for the Telnet credentials
- Let's try to find any string related with the Telnet protocol using grep (-i=ignoring case distinctions, -R=reading recursively -n=line numbering ):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi52NMlCoDZD5NMKhTiIkgpnTMt_ZC-lD8h2Gib225cFCHJqz2JSTNR1jGadqzC9N9AmF5eYNWaRTu7LFv1sLja8H1RXaBnqRNCI2xXDQssiJMtts6X5oxjppYUiIhuQXpCrbPAE1PBq12_/s1600/screenshot.20.jpg)
- Line number 8 inside /etc/scripts/misc/telnetd.sh yields interesting information about the Telnet credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4IYDLrZCMR5CrGLM8n5cWNUKbBTmqUDfA6JmUD8c99fZGkGoUAeJNlVk-aHfsitKRW1n241XQ2EfUQSQEDJo8Hbv1-S6pCY4XIRSoxqi5Q3rPKyzoRcEFZv2voaj3n3ry62JiOR17_R5F/s1600/screenshot.21.jpg)
- Going to the file /etc/scripts/misc/telnetd.sh:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaaJMnwkSCAioairukmSHnn1hKyckODCDl2xNZpcw1moxmxaHvALrah-9ZTp3ni9T8_o8y6_6vMx4aaoNi3uLcKEK4pIzNgSQigQewvLGdM95jxJhKqF6IpC8cdPQj3SvxdrFTbdJC9AP9/s1600/screenshot.26.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpH6g-JpLzCgG_eVrV7fjCWf8FMeeRAVYMhqGF0DzmBOeTItsUmCdHQHnHjg5Y01whdoKwvz8BZ_Xrg5jNhziMoP63daV9edEV6ACnLwXL1ugGIMr5e-PgtHG8sc7NmSG9Hw1v05XzJ0sG/s1600/screenshot.22.jpg)
- While username (-u) is Alphanetworks, the password seems to be stored at the variable $image_sign:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkxix48rwQ6d62_RP6mm4bfL4EIUp_LsWFjL0avwYm2VRKil0oWmIvoOzauZIn6PG6h4Lm-9fpAeEZLaQKr1NF8zCjsSmt3ERRr-CBsOS7EzpQofvQoHcHTJg8-AlWLPSbQ-VuG21LE43x/s400/screenshot.23.jpg)
- Also, the file says where the value of the variable $image_sign is stored:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9fdACJh4lz5c-QJEmHL_T9KbeGddwQ4wEP8slxsqgjJ5nQloPcjf9psQT2XsjuexnTf7mevoP-ZygTe4LviJbQSlpM5i8TXqNDeGdoUA7TPcyqecQbrco9JArm9no9bE_ESMA0_k2nQIu/s1600/screenshot.25.jpg)
- Eventually the password is available, opening /etc/config/image_sign:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1RJSPSa7nLj3yr8bb8e-HpWJIPdP122It9ozERL59z8irhDkkuzsvyyPXpnQp1a1pNZU1zkfVS2KySpojXzsVNFyj_tTbqgAAImTL64QNzU-sIUBBCnt-bz6nujs62QJ7Ew2SUNwPezlh/s1600/screenshot.27.jpg)
- By the way, the password can be detected with the command hexdump (see first line):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicdbIxyTbAM8kzScM_5LiGdg6jY0ms6S6038CpxzVROIS70t8axO0Xj0nkB-GnUCq0_FX0PmJhnPxunemFv5WnKohgzSUGUdnbX7IIW7_8OuqfPJcYQr3fKcxfCSCqqTEquCnka396pRp8/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd8I0YMP7bLGE1kJixwcvDRX3WcrXdNAQ50FhHLAbYoTs5iWxcOmk-LvKSMYBIf5DUvFI-mYtrHB2hu_-yRw4gdVrsBzmMkYOHnox9EoP0yoeWdDbomdQe8U77Cf86TMRjQ3nzKekAkEyY/s1600/screenshot.4.jpg)
- Also, using the command strings, the first string corresponds to the Telnet password:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcv9rL86pocaS8-Pmuhiw8xWQhOdsiQanQ7-TLhxc8Lf9v_q9MpejNhQquTGz4A2-kdKNLEqPwfMLCCd8U_NL2x7Nd6vQo56GCO6_YwQxk0Wrij1sqbl7AOuK1aT3siCmhwJ0S22ScfIfq/s1600/screenshot.9.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIKfFkHkqNRdT41VSzimqrC2b8Ykk_W_bZJhPe6B2qdiGDdIYzzgYeBYxvu2n7CSB-WRdWjmJ4DbfaxqYQAOnPe-fYmQ-sXOT_rjOxBoqc5qmkJBa1hqxNB1fHjoPPb2IJ0fMWIwcimDni/s1600/screenshot.8.jpg)
5 - Emulating the firmware with FAT (Firmware Analysis Toolkit)
- Launching the script ./fat.py, and introducing the name of the firmware (dir300b_v2.05) and the brand DLINK:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjPvXJxjh29RE8vmTcOuvqzudDPkNWfE9kIZpZZoHfyYdePr8noRPtAI0CxDSEhv5OBVxFrmSeAafvjlZZ9sM74popbRErBzB6e4TDC-CSM6flhg5kiM3Juhf0rLSoklYJkiOiX5smHvnd/s1600/screenshot.1.jpg)
- The password "firmadyne" is entered for going ahead with the emulation:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5bLkGbd_efIn6QPCLLV9DOtiUKM6phaQ9E_Kj-uQJHr4K7t-UAH_Of1kA3ktQgEdtIuorcjWWx7kLcfzi_38ollAOWNVymCaS2jg4-mvpaRYAdjGlG1MEfMgDyMjdhAtDl8dEUpO5YOop/s1600/screenshot.2.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxiDsM7D-1hYfa5pWrjH_nPB1UFG9EzvU9L9eVHr9sc6ZI48lfflhyw02eWsMvBQ1B5QITlmmAwxv0O1MCWhAX7Yw44tKR56d83zuTU0SApQ6PshbWbjt_mtu_p1UMDQaRa3gp2epcH8WG/s1600/screenshot.3.jpg)
- The final step for setting the network interface lasts for exactly 60 seconds, time allotted to the firmware to boot up:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhliBBvwTImT90ytMLsHmG_0k8qEMNRaIqUOR5gFyW94T27VPyLa4dLl_VHAFN9hsXgGJMSvjlHYXyG85KtmHs9TdJ9NLeokbV2zfkEnYe3l9hUyAthuXfTC63RLj3pRTZPWL0rMYqfjQ5A/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhW3luzXeP4V4BNS4YuAMksOW1YKRKW6jxZ8kYqY7Pj_Tbs4CmqM_9EGLhW-nTiA_a-eooA1T-lnq3Uyg14QcjCe9kdWaEIDUJfybeaoBdSWnbJyN1SVw0cm1QU34rfszSLX46uNE2df0cQ/s1600/screenshot.13.jpg)
- Finally, browsing to 192.168.0.1 the firmware is available as if it were a real physical device:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOlo0HF6UnUmQbDboEqwVm-DsI9U9cAX-dhP5nX-X7HMqHljo5zVv977ZHOu5joRL6rPzudJCJcZScqIrehIvFsrTQJTTi9wteYGGbi6yQzGEEEU69ilgSDRHNZyjrEM9_Y0byZ5KjP_h-/s640/screenshot.6.jpg)
- The emulation can be destroyed just pressing any key:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSW3JXdkgJQWIPe6XI6JXTB0CFRDuV3b1RUmEfc-rLkc8epFq1RvH0EUu3ty7SFt6wK19sG962L71p6HgjrEDN5LMR_vC5NGK-UAW7GBEVAMQ52QGEFCqoPz9wno5jeoqm_DElk-Til4fv/s1600/screenshot.14.jpg)