software running on an embedded platform

FIND A SOLUTION AT Academic Writers Bay

University of Wolverhampton
School of Mathematics and Computer Science
Student Number:
Name:
IoT Security Workshop 1

Lab Description
The firmware is the software running on an embedded platform, usually stored in read-only memory. It may contain various security issues which are the aim of this lab. The most common firmware vulnerability is the presence of files containing sensitive information, such as credentials, passwords, keys, certificates, etc.
To discover such vulnerabilities, steps are:
extract the firmware in order to access the files inside
check the firmware architecture
navigate through the filesystem searching for sensitive files
Task 1 – Installing AttifyOS using VMware Workstation
Download ‘AttifyOS-Training.ova’ from canvas
Open VMware Workstation or VirtualBox
Open the downloaded file using the menu File – Open
Call you new virtual machine as “AttifyOS-12345678” where “12345678” is you student id!
Press Import…if you get and error, press “Retry” to relax the security constraints
When the import ends, edit the machine settings clicking “Edit virtual machine settings”
Increase the available memory to 4096 MB and press OK
Power on the virtual machine by clicking “Power on this virtual machine”
If you get an error regarding a device ide1:0, press No
Task 2 – AttifyOS fundamentals
Login into AttifyOS using password attify123 (username is oit but you don’t need it at this time)
Familiarize yourself with the system, especially the menu above and check that the internet connection is working
Labs exercises are located in ~/Labs
Tools are located in ~/tools
What is “~”? What is the absolute path of “~”? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
When you need a terminal, you can open it by right-clicking on the desktop and choosing “Terminal”
To close a terminal window, type “exit” at the prompt. Try it.
Task 3 – Analysing Netgear firmware
In this task we are going to analyse and reverse engineering the firmware of a device created by Netgear.
Open a new terminal window
Enter the ~/Labs directory by typing (remember that Linux is case-sensitive)
cd ~/Labs
and then enter Firmware directory by typing
cd Firmware
List the directory entries by typing
ls -l
and the result should be the following
The firmware we are interested in resides in the file wnap320
Which kind of device is it? Search on Internet. [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Extract the archive file by typing
unzip wnap320.zip -d wnap320.extracted
this will create a new directory “wnap320.extracted” with all the extracted files
Move to that directory and list the content
cd wnap320.extracted
ls -l
you should see one HTML file and one “tar” archive.
What is a tar archive? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Extract the tarball by typing
tar -xvf WNAP320_V2.0.3_firmware.tar
and check now the directory entries: you should see
Provide a description of the filetypes “md5, uImage, squashfs”. Check on Internet [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Extract the filesystem inside the file rootfs.squashfs
binwalk -e rootfs.squashfs
it will create a new subdirectory called _rootfs.squashfs.extracted and, inside this one, another one called squashfs-root
now enter these directories
cd _rootfs.squashfs.extracted
cd squashfs-root
you should see these files and directories
What is binwalk? Check on Internet [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Identify the architecture on which the firmware run on (usually ARM or MIPS). To retrieve the architecture, we need to find an executable file and check its format.
One of the most common binaries is called “busybox”: what is it? Check on internet. [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Search for busybox by typing
find . -name ‘busybox’
and you will discover that the file is in /bin directory. Now get the architecture with
file ./bin/busybox
What is the CPU architecture? Choose from ARM, MIPS, PowerPC, x86. [Marks]
_______________________________________________________________________________________
Why do you think it is important to know the architecture? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Find sensitive information inside the firmware
Unfortunately, there is no universal location for finding the files we are looking for. Often this phase requires a lot of patience and perseverance. However, you can speed up the process by initially searching in the locations where the configuration files are most likely to be found. For example, the /etc directory in linux distributions is a good candidate.
Explain why /etc is important. [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Now enter /etc directory
cd etc
you should find these files
the file “server.pem” is a SSL certificate. Display its content by typing
cat server.pem
The lines starting with “——” are comments: which kind of certificate is this? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Now you can close the terminal by typing
exit
Task 4 – Analysing DLink firmware
Following the example of the previous task, we now try to analyse and reverse engineering the firmware of a device created by DLink. Check the previous section if you don’t remember any commands.
Open a new terminal window
Enter the ~/Labs/Firmware directory
List the directory entries
The firmware we are interested is the file Dlink_firmware.bin
List again the directory entries and you should see as follows
Which directory has been created for the extracted firmware? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
What is the CPU architecture? Choose from ARM, MIPS, PowerPC, x86. [Marks]
_______________________________________________________________________________________
Search for vulnerable services inside the “etc/scripts” folder (search it in the filesystem).
What is a shell script? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Now enter the “misc” subdirectory. Telnetd.sh seems to be a promising file. The ending “d” indicates this is a daemon or a service.
What does “daemon” mean? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
What is the telnet service? [Marks]
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Display the file content with
cat telnetd.sh
Don’t be scared! You don’t have to fully understand the script! Nearly in the middle, there is the command to start the telnet service. The modifier “-u” indicate the user and the password to connect to the service, separated by “:”. In this case the username is Alphanetworks.
The corresponding password is inside a variable named “image_sign” which is filled with the content of the file /etc/config/image_sign in the top of the file. Hence, to find the password we need to display the content of the file etc/config/image_sign.
Move to the directory etc/config (how can you go back to parent directory?) and display the content (check on internet how to do it…hint: it is also displayed in the previous screenshot)
What is the password for the user Alphanetworks? [Marks]
______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
(OPTIONAL – if you have time and for fun only!)
Using what you have just learned, try to discover any useful information regarding the firmware DIR-645_FIRMWARE_1.04.B12_BETA (the architecture, possible certificates and service credentials).
Explain any special step you think it is necessary.

YOU MAY ALSO READ ...  Incident response and stages of preparation.
Order from Academic Writers Bay
Best Custom Essay Writing Services

QUALITY: 100% ORIGINAL PAPERNO PLAGIARISM – CUSTOM PAPER