Binwalk 0.4.2 Release

Binwalk v0.4.2 has just been released. One of the major drawbacks to binwalk in the past has been scan time, which can take quite a while on larger files. Thanks to some user-supplied suggestions, I’m happy to say that scan times have been improved by several orders of magnitude; scans that previously took 10+ minutes now finish in just 30 seconds!

Some new search options have been added as well, one of my favorites being –raw-bytes. This option allows you to specify a sequence of bytes to search for without having to create a custom entry in the magic file:

$ binwalk --raw-bytes="abcdefg" firmware.bin
$ binwalk --raw-bytes="\x00\x01\x02\x03" firmware.bin

Get the 0.4.2 release here.

Reaver Now Goes to 11

The decision has been made to open source the Reaver command line tool. The commercial version will contain the all the features the open source command-line tool has along with a web based client, support, and service options.

This means that the open source version of Reaver will have much requested features, such as identification of WPS enabled networks and pause/resume functionality.

This also means that Reaver will have the ability to specify specific options for a given model inside a database. In other words, if it is known that certain options are required or helpful when attacking XYZ router, you can put them in the database and they will be automatically applied whenever you target that model router. How often the FOSS database will be updated remains to be seen, obviously those paying for the support plan will take priority.

The latest Reaver release (1.3) now also implements the short DH key optimizations described in the original vulnerability release paper, which reduces computation time on the target AP and increases the attack speed.

Cracking WPA in 10 Hours or Less

The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.

This is something that I’ve been testing and using for a while now, but Stefan over at .braindump beat me to publication. Such is life. 🙂

Stefan’s code isn’t quite ready for release yet, so I’ve open-sourced Reaver, my WPS attack tool. Reaver is stable and has been tested against a variety of access points and WPS implementations.

Usage is simple; just specify the target BSSID and the monitor mode interface to use:

# reaver -i mon0 -b 00:01:02:03:04:05

For those interested, there is also a commercial version available with more features and speed improvements.

Adding Hyperlinks to IDA HTML Files With IDAnchor

IDA can export disassembled data in a variety of formats, including HTML. However, the HTML output is difficult to navigate as there are no hyperlinks connecting any of the code cross references. This is a bit frustrating, so I wrote IDAnchor.

IDAnchor will take an HTML file generated by IDA and attempt to locate functions and code references in the file. It then adds anchor tags to each location and hyperlinks all cross references together for easy navigation. It also adds a function navigation table for easily jumping to a desired function:

IDAnchor Example Output

IDAnchor is still very much beta code, but so far it works for me!

Firmware-Mod-Kit Updated, v0.69 Released

For the past month I’ve been working with Jeremy Collake on updating the firmware-mod-kit. This has resulted in lots of bug fixes and the creation of two new scripts for deconstructing and re-building firmware images:

  • extract-ng.sh
  • build-ng.sh

The NG scripts have been designed as more flexible and generic replacements for the current extract_firmware.sh / build_firmware.sh scripts, and provide many improved features including:

  • The use of binwalk (now included with the firmware-mod-kit) to locate and extract file systems
  • Automatic identification and extraction of firmware footers, such as those used by the TEW-632BRP
  • Automatic identification of the correct SquashFS version and compression to use
  • Support for identifying and patching multiple headers inside a single firmware image.

Usage is simple. To extract a firmware image, run:

$ ./extract-ng.sh firmware.bin

The extracted file system will be saved to fmk/rootfs. After modifying the root file system, the new firmware image can be re-built by running:

$ ./build-ng.sh

Additionally, several new tools have been added to the kit, including:

  • New un/squashfs utilites
  • New uncramfs utilities
  • crcalc, a tool to update uImage and TRX checksums

The extract-ng.sh and build-ng.sh tools currently support TRX and uImage firmware headers and SquashFS file systems, and should work with most firmware images that use these components. However, they are still in beta testing and should be considered less stable than the older extract_firmware.sh and build_firmware.sh tools.

As always, tread with caution and use at your own risk!

Binwalk 0.3.8 Release

Binwalk 0.3.8 has just been released. In addition to bug fixes, signature updates and speed improvements, binwalk can now also identify raw executable code for various different architectures using the -A option:

$ binwalk -A soho.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------
132       	0x84      	MIPSEL function epilogue
144       	0x90      	MIPSEL function epilogue
176       	0xB0      	MIPSEL function epilogue
224       	0xE0      	MIPSEL function epilogue
248       	0xF8      	MIPSEL function prologue
432       	0x1B0     	MIPSEL function epilogue
440       	0x1B8     	MIPSEL function prologue
896       	0x380     	MIPSEL function epilogue
904       	0x388     	MIPSEL function prologue
1548      	0x60C     	MIPSEL function epilogue
1556      	0x614     	MIPSEL function prologue
2128      	0x850     	MIPSEL function epilogue
2136      	0x858     	MIPSEL function prologue
2800      	0xAF0     	MIPSEL function epilogue
2808      	0xAF8     	MIPSEL function prologue
2880      	0xB40     	MIPSEL function epilogue
2888      	0xB48     	MIPSEL function prologue
3172      	0xC64     	MIPSEL function epilogue
...
1830540   	0x1BEE8C  	MIPSEL function epilogue
1830584   	0x1BEEB8  	MIPSEL function epilogue
1830616   	0x1BEED8  	MIPSEL function epilogue
1830748   	0x1BEF5C  	MIPSEL function epilogue
1830800   	0x1BEF90  	MIPSEL function epilogue
1830812   	0x1BEF9C  	MIPSEL function epilogue

Grab the latest release here!

Binwalk v0.3.7 Released

Just cut a new release of binwalk, now with Mac OSX support!

In addition to bug fixes and new magic signatures, binwalk no longer relies on the libmagic library; instead, it builds against the file utility’s source code. This removes additional dependencies for the end user, helps to resolve potential variances in libmagic’s operation between different distributions, and eases porting to systems that don’t have the libmagic library.

Binwalk v0.3.6 Release

Binwalk v0.3.6 has just been released and includes improved signatures and user requested feature additions:

  1. Improved (again!) LZMA matching and false positive identification
  2. Ability to specify multiple target files on the command line
  3. By default all gzip and lzma signatures are enabled, and all matches marked as invalid are excluded from the results

As always, you can grab the latest version here.

Binwalk v0.3.4 Released!

Version 0.3.4 of binwalk has just been released. New and improved signatures have been added to the magic file, and more importantly, an update feature has been built in that lets you update your magic file definitions to the latest SVN check in.

To update your magic signatures, just run:

# binwalk -u

New file system signatures have also been added in this release, as well as improved LZMA signatures.