| icon |
|---|
magnifying-glass-chart |
After you successfully obtained a firmware dump, it's time to analyze its content.
binwalk is the goto option for quickly analyzing your firmware
-
Identify data
-
binwalk firmware.bin: will give you an overview which contents are found in the dump -
Example Output:
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 U-Boot bootloader image, header size: 64 bytes, load address: 0x80800000, entry point: 0x80800000, CRC32: 0xFFFFFFFF 64 0x40 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 524288 bytes 1024 0x400 Linux kernel ARM boot executable zImage (little-endian) 1048576 0x100000 Squashfs filesystem, little endian, version 4.0, compression: lzma, size: 262144 bytes, 1198 inodes, blocksize: 131072 bytes, created: Mon Jan 1 00:00:00 2024
-
-
Extract Firmware
binwalk -e firmware.bin: will try to automatically extract all content => will often give us full root-filesystem.- Example:
 (1) (1) (1).png)
Example extraction of a firmware
-
Entropy Analyiss
binwalk -E firmware.binThis will give us the entropy of the firmware- Note: parts of very high entropy can be sign for compression or encryption being used.
- Example Output:
.png)
Here we see a blob which might be encrypted or compressed
 (1) (1) (1).png)
.png)
The strings command can be helpful to quickly find sensitive data like passwords or password hashes:
-
Password Hashes:
strings firmware.bin | grep -E ':[x$1$5$6]:'
-
Hardcoded Credentials
strings firmware.bin | grep -i 'password' strings firmware.bin | grep -i 'user' strings firmware.bin | grep -i 'admin' strings firmware.bin | grep -i 'login'
-
Private Keys and Certificates
strings firmware.bin | grep -i 'PRIVATE KEY' strings firmware.bin | grep -i 'BEGIN RSA' strings firmware.bin | grep -i 'BEGIN DSA'
-
API Keys, Tokens, and Secrets
strings firmware.bin | grep -i 'api_key' strings firmware.bin | grep -i 'token' strings firmware.bin | grep -i 'secret'
-
IP Addresses and URLs
strings firmware.bin | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' strings firmware.bin | grep -E 'http://|https://' strings firmware.bin | grep -i 'ftp'
-
Configuration Files
strings firmware.bin | grep -i '.conf' strings firmware.bin | grep -i '.ini' strings firmware.bin | grep -i '.xml'
-
Encryption Keys and Passwords
strings firmware.bin | grep -i 'encryption_key' strings firmware.bin | grep -i 'aes' strings firmware.bin | grep -i 'des' strings firmware.bin | grep -i 'key='
-
Version Information
strings firmware.bin | grep -i 'version' strings firmware.bin | grep -i 'build'
-
Debug Information
strings firmware.bin | grep -i 'debug' strings firmware.bin | grep -i 'trace' strings firmware.bin | grep -i 'error' strings firmware.bin | grep -i 'fail'
-
Email Addresses
strings firmware.bin | grep -E '\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
-
Encryption/Decryption Routines
strings firmware.bin | grep -i 'openssl' strings firmware.bin | grep -i 'encrypt' strings firmware.bin | grep -i 'decrypt'
-
Default and Backup Files
strings firmware.bin | grep -i 'default' strings firmware.bin | grep -i 'backup'
-
SSH Information
strings firmware.bin | grep -i 'ssh' strings firmware.bin | grep -i 'port'
Todo
Resources: