In this blog post series we will show you certain steps among with the tools used in order to conduct IoT security assessments. In this first part you will need a .bin file of a device firmware in order to continue.

 

Tools needed

file

It determines the type of a file. file makes a guess at the type of each file argument by inspecting the attributes and (for an ordinary file) reading an initial part of the file. file compares each file on the command line to templates found in a system-maintained magic file to determine their file type.

https://linux.die.net/man/1/file

xdd

This tool makes a hexdump or do the reverse. xxd creates a hex dump of a given file or standard input. It can also convert a hex dump back to its original binary form.

https://linux.die.net/man/1/xxd

binwalk 

A Firmware Analysis Tool. Binwalk is a simple Linux tool for analyzing binary files for embedded files and executable code. It is mostly used to extract the content of firmware images.

https://github.com/ReFirmLabs/binwalk

strings

It prints the strings of printable characters in files. Strings, for each file given, prints the printable character sequences that are at least 4 characters long (or the number given with the options below) and are followed by an unprintable character. By default, it only prints the strings from the initialized and loaded sections of object files; for other types of files, it prints the strings from the whole file.

https://linux.die.net/man/1/strings

Radare2

It is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processors and operating systems.

https://rada.re/r/

hexdump

It displays the contents of a file in hexadecimal, decimal, octal, or ascii. hexdump utility is a filter which displays the specified files, or standard input if no files are specified, in a user-specified format.

http://man7.org/linux/man-pages/man1/hexdump.1.html

firmwalker

It is a simple bash script for searching the extracted or mounted firmware file system for things of interest such as: etc/shadow, etc/passwd, etc/ssl directory, SSL related files such as .pem, .crt, configuration files, script files, other .bin files, keywords such as admin, password, remote, etc., common web servers used on IoT devices, common binaries such as ssh, tftp, dropbear, etc., URLs, email addresses and IP addresses.

https://github.com/craigz28/firmwalker

Static Analysis

Determining the File Type

file myfile.bin

1. fileidentification-1024x152-min

Retrieving file’s Magic Bytes using xxd tool

Parameter Description
-l <length> stop after <length> octets.
xxd -l 4 myfile.bin
2. magicbytes-1024x120-min

Retrieving file’s Magic Bytes using binwalk tool

Parameter Description
-W Perform a hexdump / diff of a file or files.
-l <length> Number of bytes to scan.
binwalk -W -l 100 myfile.bin

3. magicbytes2-1024x285-min

Dumping file’s Strings

Parameter Description
-n <number> Locate & print any NUL-terminated sequence of at
-<number> least [number] characters (default 4).
strings -n 10 myfile.bin > strings.out

4. strings-1024x221-min

Searching for non-ASCII characters

Parameter Description
izz Search for Strings in the whole binary.
r2 myfile.bin

5. radare2-strings-1024x417-min

Display file’s contents in hexadecimal

Parameter Description
-C Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in “|” characters.
hexdump -C myfile.bin > hex.out

6. hexdump-1024x229-min

Analyzing Firmware architecture and its Filesystem

binwalk myfile.bin

7. binwalk-1-1024x225-min

Extracting firmware files automatically

Parameter Description
-M Recursively scan extracted files
-r Delete carved files after extraction
-e Automatically extract known file types
binwalk -Mre myfile.bin
or binwalk -Me myfile.bin

8. extract-files-1024x297-min
9. extracted-1024x98-min

Search the extracted firmware file system for goodies

./firmwalker.sh /path/to/extracted-firmware/root/fs/

10. firmwalker-1024x453-min