DWR-932_fw_revB_2_02_eu_en_20150709 固件漏洞分析调试
固件介绍某路由器有漏洞的固件,搜索名字,在官网上能够下载到对应版本
分析过程中使用的工具总结
binwalk、fcrackzip、unyaffs、hashcat、John the Ripper、firmwalker
第一步:破解密码
fcrackzip 破解工具的使用
得到 zip 解压密码:beUT9Z
第二步:用unyaffs 解压固件
mkdir test1
cp2K-mdm-image-mdm9625.yaffs2 test1
└─# unyaffs 2K-mdm-image-mdm9625.yaffs2
┌──(root💀kali)-
└─# ls
2K-mdm-image-mdm9625.yaffs2boot cache config2diskhomelinuxrcmnt sbin sysusrWEBSERVER
bin build.propconfigdev etc lib media procsdcardtmpvarwww
第三步:信息挖掘
└─# find . -name "*.conf"
└─# find . -name "shadow"
└─# find . -name "passwd"
└─# find . -name "*config*"
└─# find . -name "*history*"
└─# find . -name "*ssh*config*"
└─# find . -name "*ssh*host*"
第四步:寻找关键配置信息
cat ./etc/inadyn-mt.conf
cat ./etc/shadow
cat ./etc/passwd
从中发现某些用户名账号和口令,以及root 账户的用户名和密码HASH
第五步:使用 John 工具来破解 HASH
这里使用的 John 爆破的密码
┌──(root💀kali)-
└─# echo "root:aRDiHrJ0OkehM:16270:0:99999:7:::" > hash.txt
┌──(root💀kali)-
└─# ls
2K-mdm-image-mdm9625.yaffs2boot cache config2diskhash.txtlib mediaprocsdcardtmpvar www
bin build.propconfigdev etc home linuxrcmnt sbinsys usrWEBSERVER
┌──(root💀kali)-
└─# cat hash.txt
root:aRDiHrJ0OkehM:16270:0:99999:7:::
┌──(root💀kali)-
└─# john hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (descrypt, traditional crypt(3) )
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Warning: Only 327 candidates buffered for the current salt, minimum 512 needed for performance.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
1234 (root)
1g 0:00:00:00 DONE 2/3 (2021-12-01 21:57) 100.0g/s 1857Kp/s 1857Kc/s 1857KC/s 123456..betabeta
Use the "--show" option to display all of the cracked passwords reliably
Session completed
第六步:使用 firmwalker
firmwalker
A simple bash script for searching the extracted or mounted firmware file system.
It will search through the extracted or mounted firmware file system for things of interest such as:
* etc/shadow and etc/passwd
* list out the etc/ssl directory
* search for SSL related files such as .pem, .crt, etc.
* search for configuration files
* look for script files
* search for other .bin files
* look for keywords such as admin, password, remote, etc.
* search for common web servers used on IoT devices
* search for common binaries such as ssh, tftp, dropbear, etc.
* search for URLs, email addresses and IP addresses
* Experimental support for making calls to the Shodan API using the Shodan CLI
***Firmware Directory***
../test1
***Search for password files***
##################################### passwd
1/bin/passwd
1/etc/passwd
1/var/lib/opkg/alternatives/passwd
...
第七步:查看启动项
cd etc/init.d
ls -l
第八步:分析 start_appmgr 脚本
cat start_appmgr
#Sandro { for telnetd debug...
start-stop-daemon -S -b -a /bin/logmaster
#if [ -e /config2/telnetd ]; then
start-stop-daemon -S -b -a /sbin/telnetd
#fi
#Sandro }
# Get the vendor_id,
VENDOR_ID=$(grep vendor_id /etc/versions 2>/dev/null | awk -F"=" '{print $2}')
case "$1" in
start)
if [ "$VENDOR_ID" = "Pure" ]; then
echo -n "Starting btnd: "
start-stop-daemon -S -b -a /bin/btnd
echo "done"
else
echo -n "Starting appmgr: "
start-stop-daemon -S -b -a /bin/appmgr
echo "done"
fi
;;
stop)
if [ "$VENDOR_ID" = "Pure" ]; then
echo -n "Stopping btnd: "
start-stop-daemon -K -n btnd
echo "done"
else
echo -n "Stopping appmgr: "
start-stop-daemon -K -n appmgr
echo "done"
fi
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage appmgr { start | stop | restart}" >&2
exit 1
;;
esac
其功能是开启 telnetd、btnd、appmgr 等服务
第九步:分析 appmgr 二进制文件
file appmgr 1 ⨯
appmgr: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 2.6.16, stripped
图片.png
相关学习链接:
学习链接1
学习链接2
https://github.com/PacktPublishing/IoT-Penetration-Testing-Cookbook 谢谢大佬无私贡献 感谢分享 谢谢分享!!谢谢 感谢大佬,厉害厉害👍🏻 谢谢分享 感謝大佬,厲害厲害
页:
[1]