Analyze Firmware
After you successfully obtained a firmware dump, it's time to analyze its content.
Quick wins
binwalk is the goto option for quickly analyzing your firmware
Identify data
binwalk firmware.bin
: will give you an overview which contents are found in the dumpExample Output:
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 U-Boot bootloader image, header size: 64 bytes, load address: 0x80800000, entry point: 0x80800000, CRC32: 0xFFFFFFFF 64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 524288 bytes 1024 0x400 Linux kernel ARM boot executable zImage (little-endian) 1048576 0x100000 Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 262144 bytes, 1198 inodes, blocksize: 131072 bytes, created: Mon Jan 1 00:00:00 2024
Extract Firmware
binwalk -e firmware.bin
: will try to automatically extract all content => will often give us full root-filesystem.Example:
Example extraction of a firmware Entropy Analyiss
binwalk -E firmware.bin
This will give us the entropy of the firmwareNote: parts of very high entropy can be sign for compression or encryption being used.
Example Output:
Here we see a blob which might be encrypted or compressed
The strings
command can be helpful to quickly find sensitive data like passwords or password hashes:
Password Hashes:
strings firmware.bin | grep -E ':[x$1$5$6]:'
Hardcoded Credentials
strings firmware.bin | grep -i 'password' strings firmware.bin | grep -i 'user' strings firmware.bin | grep -i 'admin' strings firmware.bin | grep -i 'login'
Private Keys and Certificates
strings firmware.bin | grep -i 'PRIVATE KEY' strings firmware.bin | grep -i 'BEGIN RSA' strings firmware.bin | grep -i 'BEGIN DSA'
API Keys, Tokens, and Secrets
strings firmware.bin | grep -i 'api_key' strings firmware.bin | grep -i 'token' strings firmware.bin | grep -i 'secret'
IP Addresses and URLs
strings firmware.bin | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' strings firmware.bin | grep -E 'http://|https://' strings firmware.bin | grep -i 'ftp'
Configuration Files
strings firmware.bin | grep -i '.conf' strings firmware.bin | grep -i '.ini' strings firmware.bin | grep -i '.xml'
Encryption Keys and Passwords
strings firmware.bin | grep -i 'encryption_key' strings firmware.bin | grep -i 'aes' strings firmware.bin | grep -i 'des' strings firmware.bin | grep -i 'key='
Version Information
strings firmware.bin | grep -i 'version' strings firmware.bin | grep -i 'build'
Debug Information
strings firmware.bin | grep -i 'debug' strings firmware.bin | grep -i 'trace' strings firmware.bin | grep -i 'error' strings firmware.bin | grep -i 'fail'
Email Addresses
strings firmware.bin | grep -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
Encryption/Decryption Routines
strings firmware.bin | grep -i 'openssl' strings firmware.bin | grep -i 'encrypt' strings firmware.bin | grep -i 'decrypt'
Default and Backup Files
strings firmware.bin | grep -i 'default' strings firmware.bin | grep -i 'backup'
SSH Information
strings firmware.bin | grep -i 'ssh' strings firmware.bin | grep -i 'port'
Analysis of bare metal firmware
Todo
Resources:
Last updated
Was this helpful?