- 7 Tem 2013
- 8,193
- 654
Hello,
In this topic, we will analyze firmware files with Binwalk. Binwalk is a computer forensics tool. Let's get start
What does Binwalk Do?
Binkwalk can analyze hexadecimal values in a firmware file. We can detect and analyze the linked files. The information that we found after an analysis can be presented as judicial evidence in court.
What is Firmware?
It is software that specifies the functions of peripheral hardware units and ensures that these functions are performed properly. They can be found in electronic devices such as MP3 players, modems, printers. They don't change except for various updates.
Firmware Analysis With Binwalk
Of course we must have a firmware file before the analysis process. You can download these firmware files from the internet to learn the software practically. I will use a firmware file that I found on the internet.
Binwalk is a tool that comes pre-installed on linux systems. For this reason, we can proceed directly to our operations without installation. Let's view the parameters that can be used with Binwalk.
Now, we learned our parameters. We can proceed to analysis. I specify the file that I will analyze and start the analysis process by typing this command:
We see that the file system points to "1147023". When we look at the description, we can see that this address has specified the squashfs file system. So, we will try to extract the squashfs file system from the firmware.
The dd tool will enable us to extract the file system that we specified from the firmware.
"if" : We specify our firmware with the if parameter.
"of" : We specify the new file to be crated with this parameter.
"skip" : We specify the address indicated by the file system with this parameter.
"bs" : We specify the block size value of the file with bs parameter. We need to give this value as 1 because the file should be read properly.
After the process is successfully completed our output file will be created in the locati0n that we specified. We can confirm the accuracy of the process. For this, type this command:
As you can see, the address of the "test.squasshfs" file that we extracted shows "0". That means the operation completed successfully. The information in our file is complex. So we will make it readable. We can use the unsquashfs tool for this. Before installing the tool, let's install a few packages for our tool to use.
After installing the packages, we install our tool with this command:
After the installation, we ensure that the information in our file becomes readable with the unsquashfs tool.
After this, a new directory (squashfs-root) will be created. Let's go the new directory with this command:
Let's view the files and folders in the directory:
We have viewed the content of the file system. So we can get information about the firmware file that we analyzed under the squashfs-root directory. We can also access this directory under the root directory and view the files instead of accessing it from the terminal.
Thanks!
Source: https://www.turkhackteam.org/adli-b...yalarini-binwalk-araci-ile-analiz-edelim.html
Translator dRose98
In this topic, we will analyze firmware files with Binwalk. Binwalk is a computer forensics tool. Let's get start
What does Binwalk Do?
Binkwalk can analyze hexadecimal values in a firmware file. We can detect and analyze the linked files. The information that we found after an analysis can be presented as judicial evidence in court.
What is Firmware?
It is software that specifies the functions of peripheral hardware units and ensures that these functions are performed properly. They can be found in electronic devices such as MP3 players, modems, printers. They don't change except for various updates.
Firmware Analysis With Binwalk
Of course we must have a firmware file before the analysis process. You can download these firmware files from the internet to learn the software practically. I will use a firmware file that I found on the internet.
Binwalk is a tool that comes pre-installed on linux systems. For this reason, we can proceed directly to our operations without installation. Let's view the parameters that can be used with Binwalk.
Kod:
binwalk -h
Now, we learned our parameters. We can proceed to analysis. I specify the file that I will analyze and start the analysis process by typing this command:
Kod:
binwalk file/path/file_name.bin
We see that the file system points to "1147023". When we look at the description, we can see that this address has specified the squashfs file system. So, we will try to extract the squashfs file system from the firmware.
The dd tool will enable us to extract the file system that we specified from the firmware.
"if" : We specify our firmware with the if parameter.
"of" : We specify the new file to be crated with this parameter.
"skip" : We specify the address indicated by the file system with this parameter.
"bs" : We specify the block size value of the file with bs parameter. We need to give this value as 1 because the file should be read properly.
Kod:
dd if=firmware/file/path/file_name.bin of=output/path/file_name skip=1147023 bs=1
After the process is successfully completed our output file will be created in the locati0n that we specified. We can confirm the accuracy of the process. For this, type this command:
Kod:
binwalk file/path/file_name
As you can see, the address of the "test.squasshfs" file that we extracted shows "0". That means the operation completed successfully. The information in our file is complex. So we will make it readable. We can use the unsquashfs tool for this. Before installing the tool, let's install a few packages for our tool to use.
Kod:
apt-get install liblzma-dev
Kod:
apt-get install subversion
Kod:
apt-get install zlib1g-dev
Kod:
apt-get install build-essential
After installing the packages, we install our tool with this command:
Kod:
apt-get install squashfs-tools
After the installation, we ensure that the information in our file becomes readable with the unsquashfs tool.
Kod:
unsquashfs -i file/path/file_name
After this, a new directory (squashfs-root) will be created. Let's go the new directory with this command:
Kod:
cd ./squashfs-root/
Let's view the files and folders in the directory:
Kod:
ls
We have viewed the content of the file system. So we can get information about the firmware file that we analyzed under the squashfs-root directory. We can also access this directory under the root directory and view the files instead of accessing it from the terminal.
Thanks!
Source: https://www.turkhackteam.org/adli-b...yalarini-binwalk-araci-ile-analiz-edelim.html
Translator dRose98
Moderatör tarafında düzenlendi: