While the recent v0.2.1 release was a bug fix release, v0.3.0 has added some important new features:
- Include and exclude filters now match search terms on anything in the resulting output rather than just matching the first line description from the magic file.
- Signatures that are two bytes or less in length tend to produce a huge number of false positives. In v0.3.0 these signatures are disabled by default in order to prevent being overloaded with false positive matches. These signatures can be enabled using the new -a or -i options.
- As always, new signatures have been added to the default magic file!
Grab the latest release here.
A new version of our firmware analysis tool, Binwalk, has been released! This release features bug fixes and an improved signatures database.
Be sure to get the new version here!
John Matherly of SHODAN fame and Dan Tentler from Aten Labs teamed up to research the DD-WRT information disclosure vulnerability we released back in December.
The results show that approximately 10% of remotely accessible DD-WRT routers were both vulnerable to the attack and could be geo-located based on the information gleaned from the attack.
Dan did his research back in the December-January timeframe just after the vulnerability was released. Using SHODAN, he found that out of 8,000 – 9,000 DD-WRT routers, 2,000 were vulnerable to the information disclosure bug. Out of those 2,000, he was able to geo-locate 700 – 800 of them based on the information gleaned from the vulnerability.
Dan teamed up with John in who did another SHODAN search in April, this time finding 5,688 DD-WRT routers, with 543 that were both vulnerable to the information disclosure bug and could be geo-located.
Although the results aren’t broken out by protocol (HTTP vs HTTPS), this also carries implications of how many DD-WRT users have remote administration enabled and are at risk of SSL MITM attacks.
John has put together a great write-up and a Google map of his results on the SHODAN Research page.
Dan’s work can be found on the Aten Labs blog.
When you’re setting up a device for testing, sometimes you need to set up a DNS server. And when you do, you don’t want to be messing around with DNS configuration files.
MiniDNS is a very simplistic DNS server that responds to all DNS queries with a single IPv4 address. Just provide it with the IP address you want requests to resolve to, and you’re up and running:
# minidns 22.214.171.124
Version 0.1.2 of LittleBlackBox was released last night. In addition to a new list of private SSL keys added to the database and some minor bug fixes, we’ve introduced a couple new features:
- Ability to update SSL key database to the latest SVN check-in. This keeps you up to date with the newest SSL keys.
- Support for BSD and OSX builds. The previous Makefile didn’t build without modifications on these systems.
We add new SSL keys to the database regularly, so run –update often!
No, this is not some new SSL vulnerability. In fact, it’s a really old vulnerability, as old as cryptography itself: keep your secret keys secret.
A lot of embedded devices provide HTTPS support so that administrators can administer the devices securely over untrusted networks. Some devices, such as SSL VPNs, center their entire functionality around SSL encryption. OK, well SSL isn’t perfect, but it’s still the de facto standard for Web-based encryption. So far, so good.
Here’s where it gets fun: many of these devices use hard-coded SSL keys that are baked into the firmware. That means that if Alice and Bob are both using the same router with the same firmware version, then both of their routers have the same SSL keys. All Eve needs to do in order to decrypt their traffic is to download the firmware from the vendor’s Web site and extract the SSL private key from the firmware image.
We’ve just released a new version of Binwalk, our open source firmware analysis tool. This release features new firmware signatures and a huge speed increase; scan times for large firmware images went from ~12 hours to less than a minute!
Download Binwalk here.