Reaver Now Goes to 11

The decision has been made to open source the Reaver command line tool. The commercial version will contain the all the features the open source command-line tool has along with a web based client, support, and service options.

This means that the open source version of Reaver will have much requested features, such as identification of WPS enabled networks and pause/resume functionality.

This also means that Reaver will have the ability to specify specific options for a given model inside a database. In other words, if it is known that certain options are required or helpful when attacking XYZ router, you can put them in the database and they will be automatically applied whenever you target that model router. How often the FOSS database will be updated remains to be seen, obviously those paying for the support plan will take priority.

The latest Reaver release (1.3) now also implements the short DH key optimizations described in the original vulnerability release paper, which reduces computation time on the target AP and increases the attack speed.

Cracking WPA in 10 Hours or Less

The WiFi Protected Setup protocol is vulnerable to a brute force attack that allows an attacker to recover an access point’s WPS pin, and subsequently the WPA/WPA2 passphrase, in just a matter of hours.

This is something that I’ve been testing and using for a while now, but Stefan over at .braindump beat me to publication. Such is life. 🙂

Stefan’s code isn’t quite ready for release yet, so I’ve open-sourced Reaver, my WPS attack tool. Reaver is stable and has been tested against a variety of access points and WPS implementations.

Usage is simple; just specify the target BSSID and the monitor mode interface to use:

# reaver -i mon0 -b 00:01:02:03:04:05

For those interested, there is also a commercial version available with more features and speed improvements.

Qemu vs sstrip

Qemu usually does a great job emulating embedded Linux applications, but as with anything you will occasionally run into bugs. While attempting to debug an embedded application in Qemu the other day, I ran into the following error:

eve@eve:~/firmware$ sudo chroot . ./qemu-mips bin/ls 
bin/ls: Invalid ELF image for this architecture

This error is usually indicative of using the wrong endian emulator, but I knew that the target binary was big endian MIPS. The file utility began to shed some light on the issue:

eve@eve:~/firmware$ file bin/busybox 
bin/busybox: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size

Hmmm, a corrupted section header? Let’s take a closer look at the binary.

Continue reading

Speaking SPI & I2C With The FT-2232

For a while now I’ve been looking for an easy way to interface with external SPI and I2C devices over USB in a manner that can be easily integrated into future projects as well as used in a simple stand-alone system.

Although there are many existing SPI/I2C interface solutions, most of them are microcontroller based and connect to the PC though a USB to serial converter. This works fine, but I wanted something with a bit more speed while also remaining simple, cheap, and readily available.

After some searching, the FTDI FT-2232 family of chips seemed to fit the bill nicely. Although they are more commonly used to interface with JTAG devices, the FT-2232’s Multi-Protocol Synchronous Serial Engine (MPSSE) also supports the SPI and I2C protocols, clock rates of up to 30MHz, and a full-speed USB interface. Development boards are also cheap – the UM232H is $20 from DigiKey or Mouser in single quantities.

I’ve written libmpsse, a Linux wrapper library around libftdi that provides an easy to use API for interfacing with SPI and I2C devices using C and Python.

So how does this relate to hacking embedded systems you ask? Let’s take a look…

Continue reading

Adding Hyperlinks to IDA HTML Files With IDAnchor

IDA can export disassembled data in a variety of formats, including HTML. However, the HTML output is difficult to navigate as there are no hyperlinks connecting any of the code cross references. This is a bit frustrating, so I wrote IDAnchor.

IDAnchor will take an HTML file generated by IDA and attempt to locate functions and code references in the file. It then adds anchor tags to each location and hyperlinks all cross references together for easy navigation. It also adds a function navigation table for easily jumping to a desired function:

IDAnchor Example Output

IDAnchor is still very much beta code, but so far it works for me!

Modifying The DD-WRT GUI

Although released under the GPL, DD-WRT is notoriously difficult to build from source. If you want to customize your DD-WRT installation, it is usually easier to extract files from the firmware image, change what you need, and then re-construct the image.

One exception here is the Web GUI. The DD-WRT Web pages (*.asp, *.htm, *.gif, *.css) in each firmware image are protected in order to prevent modification. Being able to customize the Web interface can be advantageous for those wishing to add compatibility with mobile/uncommon browsers, change themes, add links, etc.

And, despite claims to the contrary, that’s exactly what we’ll be doing.

DD-WRT Sporting the Hack-A-Day Logo

Continue reading

Firmware-Mod-Kit Updated, v0.69 Released

For the past month I’ve been working with Jeremy Collake on updating the firmware-mod-kit. This has resulted in lots of bug fixes and the creation of two new scripts for deconstructing and re-building firmware images:

  • extract-ng.sh
  • build-ng.sh

The NG scripts have been designed as more flexible and generic replacements for the current extract_firmware.sh / build_firmware.sh scripts, and provide many improved features including:

  • The use of binwalk (now included with the firmware-mod-kit) to locate and extract file systems
  • Automatic identification and extraction of firmware footers, such as those used by the TEW-632BRP
  • Automatic identification of the correct SquashFS version and compression to use
  • Support for identifying and patching multiple headers inside a single firmware image.

Usage is simple. To extract a firmware image, run:

$ ./extract-ng.sh firmware.bin

The extracted file system will be saved to fmk/rootfs. After modifying the root file system, the new firmware image can be re-built by running:

$ ./build-ng.sh

Additionally, several new tools have been added to the kit, including:

  • New un/squashfs utilites
  • New uncramfs utilities
  • crcalc, a tool to update uImage and TRX checksums

The extract-ng.sh and build-ng.sh tools currently support TRX and uImage firmware headers and SquashFS file systems, and should work with most firmware images that use these components. However, they are still in beta testing and should be considered less stable than the older extract_firmware.sh and build_firmware.sh tools.

As always, tread with caution and use at your own risk!

Binwalk 0.3.8 Release

Binwalk 0.3.8 has just been released. In addition to bug fixes, signature updates and speed improvements, binwalk can now also identify raw executable code for various different architectures using the -A option:

$ binwalk -A soho.bin

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------
132       	0x84      	MIPSEL function epilogue
144       	0x90      	MIPSEL function epilogue
176       	0xB0      	MIPSEL function epilogue
224       	0xE0      	MIPSEL function epilogue
248       	0xF8      	MIPSEL function prologue
432       	0x1B0     	MIPSEL function epilogue
440       	0x1B8     	MIPSEL function prologue
896       	0x380     	MIPSEL function epilogue
904       	0x388     	MIPSEL function prologue
1548      	0x60C     	MIPSEL function epilogue
1556      	0x614     	MIPSEL function prologue
2128      	0x850     	MIPSEL function epilogue
2136      	0x858     	MIPSEL function prologue
2800      	0xAF0     	MIPSEL function epilogue
2808      	0xAF8     	MIPSEL function prologue
2880      	0xB40     	MIPSEL function epilogue
2888      	0xB48     	MIPSEL function prologue
3172      	0xC64     	MIPSEL function epilogue
...
1830540   	0x1BEE8C  	MIPSEL function epilogue
1830584   	0x1BEEB8  	MIPSEL function epilogue
1830616   	0x1BEED8  	MIPSEL function epilogue
1830748   	0x1BEF5C  	MIPSEL function epilogue
1830800   	0x1BEF90  	MIPSEL function epilogue
1830812   	0x1BEF9C  	MIPSEL function epilogue

Grab the latest release here!

Binwalk v0.3.7 Released

Just cut a new release of binwalk, now with Mac OSX support!

In addition to bug fixes and new magic signatures, binwalk no longer relies on the libmagic library; instead, it builds against the file utility’s source code. This removes additional dependencies for the end user, helps to resolve potential variances in libmagic’s operation between different distributions, and eases porting to systems that don’t have the libmagic library.

Binwalk v0.3.6 Release

Binwalk v0.3.6 has just been released and includes improved signatures and user requested feature additions:

  1. Improved (again!) LZMA matching and false positive identification
  2. Ability to specify multiple target files on the command line
  3. By default all gzip and lzma signatures are enabled, and all matches marked as invalid are excluded from the results

As always, you can grab the latest version here.