Reverse Engineering Edge-Core Router Firmware Backdoor

From Indonesian Research And Development Center
Jump to: navigation, search

Disclaimer

Tutorial ini hanya untuk tujuan pembelajaran semata. Penulis tidak bertanggungjawab atas penggunaan maupun penyalahgunaan tutorial ini. Use at your own risk.


Pendahuluan

Tutorial ini akan membahas metode yang dapat digunakan untuk melakukan reverse engineering dan analisa firmware router buatan Edge-Core. Firmware tersebut berisi banyak informasi penting, termasuk kemungkinan adanya backdoor.


Langkah-langkah

  • Unduh firmware update dari situs edge-core:
% wget -q http://www.edge-core.com/temp/ec_download/573/ES3528_52M_opcode_V1.4.10.1.zip
  • Ekstrak arsip berisi firmware tersebut:
% unzip ES3528_52M_opcode_V1.4.10.1.zip
  • Selanjutnya, Anda dapat mengekstrak isi dari firmware berekstensi .bix dari langkah di atas menggunakan binwalk
% binwalk -r -e ES3528_52M_opcode_V1.4.10.1.bix

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
32            0x20            gzip compressed data, has original file name: "ram.bin", from FAT filesystem (MS-DOS, OS/2, NT), last modified: 2010-12-18 01:36:24
  • Agar lebih mudah, Anda dapat memindahkan berkas ram.bin dari sub direktori hasil ekstraksi binwalk dan menghapus sub direktori tersebut seperti ini:
% mv _ES3528_52M_opcode_V1.4.10.1.bix.extracted/ram.bin . && rm -r _ES3528_52M_opcode_V1.4.10.1.bix.extracted 
  • Kembali gunakan binwalk untuk melakukan analisis firmware dengan nama ram.bin tersebut. Berikut ini adalah beberapa bagian yang akan digunakan pada tutorial ini:
% binwalk ram.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
126164        0x1ECD4         VxWorks operating system version "5.5.1" , compiled: "Dec 17 2010, 17:18:16"
...
510420        0x7C9D4         Base64 standard index table
...
4433086       0x43A4BE        Copyright string: "copyright notice:"
6827124       0x682C74        CRC32 polynomial table, little endian
7020764       0x6B20DC        PEM certificate
7021584       0x6B2410        PEM RSA private key
7022568       0x6B27E8        PEM RSA private key
7023132       0x6B2A1C        PEM RSA private key
7023696       0x6B2C50        PEM RSA private key
7024260       0x6B2E84        PEM RSA private key
7024824       0x6B30B8        PEM RSA private key
7025596       0x6B33BC        PEM RSA private key
7026356       0x6B36B4        PEM RSA private key
7027116       0x6B39AC        PEM RSA private key
7027876       0x6B3CA4        PEM RSA private key
7028840       0x6B4068        PEM RSA private key
7029804       0x6B442C        PEM RSA private key
7030768       0x6B47F0        PEM RSA private key
7053204       0x6B9F94        OpenSSH DSA public key
7154848       0x6D2CA0        Base64 standard index table
7228528       0x6E4C70        Unix path: /var/run/sshd.pid
7264212       0x6ED7D4        CRC32 polynomial table, little endian
8142844       0x7C3FFC        Copyright string: "Copyright(C) Accton Corporation, 1999, 2000"
9284792       0x8DACB8        HTML document header
9284824       0x8DACD8        HTML document footer
13982100      0xD55994        Neighborly text, "neighborsiver"
14115064      0xD760F8        Copyright string: "Copyright(C) 2000-2002"
...
17029352      0x103D8E8       Base64 standard index table
18159452      0x115175C       Unix path: /usr/local/ssl/private
18597536      0x11BC6A0       Copyright string: "Copyright 2000~2002, Marvell International Ltd."
18687869      0x11D277D       Copyright string: "Copyright 1986-1997 Epilogue Technology Corporation"
18705349      0x11D6BC5       Copyright string: "Copyright 1984-2002 Wind River Systems, Inc."
18720236      0x11DA5EC       Copyright string: "Copyright Wind River Systems, Inc., 1984-2003"
18733326      0x11DD90E       VxWorks WIND kernel version "2.6"
18900248      0x1206518       Zlib compressed data, default compression
18935168      0x120ED80       YAFFS filesystem
18935196      0x120ED9C       YAFFS filesystem
18938948      0x120FC44       YAFFS filesystem
18944791      0x1211317       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit
18946527      0x12119DF       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit
18946555      0x12119FB       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit
18946583      0x1211A17       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 4bit
19041183      0x1228B9F       Copyright string: "Copyright 1999, Mark Martinec. Frontier Artistic License applies."
19066112      0x122ED00       Base64 standard index table
19080352      0x12324A0       CRC32 polynomial table, little endian
  • Dari potongan output binwalk di atas, bisa terlihat bahwa terdapat beberapa private key, certificate dan berkas penting lainnya. Selanjutnya, Anda dapat menggunakan perintah string pada terminal untuk mengekstrak data tersebut. Kelemahan dari cara tersebut adalah, Anda hanya dapat melihat printable string. Tutorial ini akan menggunakan cara lain, yaitu menggunakan shell script sederhana untuk menjalankan aplikasi dd dan mengekstrak data pada offset yang diinginkan. Berikut ini adalah shell script yang digunakan pada tutorial ini:
#!/bin/bash

if (( $# != 3 )); then
 echo "Usage: $0 <start> <end> <output>"
 exit 1
fi

dd if=ram.bin of=$3 bs=1 count=$(($2 - $1)) skip=$1
  • Simpan script tersebut dengan nama ekstrak.sh dan set sebagai executable dengan perintah seperti ini:
% chmod +x ekstrak.sh
  • Selanjutnya, Anda dapat mulai mengekstrak offset yang diinginkan dari berkas ram.bin. Contoh pertama penggunaan script ekstrak.sh adalah mengekstrak certificate yang terdapat pada offset 7020764 hingga 7021584. Caranya seperti ini:
% ./ekstrak.sh 7020764 7021584 cert.pem
820+0 records in
820+0 records out
820 bytes (820 B) copied, 0.00954562 s, 85.9 kB/s
  • Perintah di atas akan menyimpan berkas hasil ekstraksi dengan nama cert.pem. Berikut ini adalah isi dari berkas tersebut:
% cat cert.pem
-----BEGIN CERTIFICATE-----
MIICLzCCAZigAwIBAgIBADANBgkqhkiG9w0BAQQFADAgMR4wHAYDVQQDExUyNC80
OCBMMi9MNCBHRSBTd2l0Y2gwHhcNMDUxMTE3MTA0ODU2WhcNMTUxMTE1MTA0ODU2
WjAgMR4wHAYDVQQDExUyNC80OCBMMi9MNCBHRSBTd2l0Y2gwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMoqfj6fvL8fjsTD3fMDKAx2EVjB0cglYsq6sx97L6LC
1kPw8+cZP3nBBnkCvF1l0/G11TK9tU370/upqYI6na7Vp7ZV+Fk/HohgbO8ot9U0
zKeDG+uIDvHDBtYq2KioYhKC6/stJudt0enDH3rixF9lTdVBgES6Vj6WXe/bBbmf
AgMBAAGjeTB3MB0GA1UdDgQWBBSyd54wQQl9qn2VRo+V7iOftFT4kTBIBgNVHSME
QTA/gBSyd54wQQl9qn2VRo+V7iOftFT4kaEkpCIwIDEeMBwGA1UEAxMVMjQvNDgg
TDIvTDQgR0UgU3dpdGNoggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQAD
gYEAtew1MX1Hme0Uu0+OHYVT3uRrLut0JrdYT+17rdT+aLd4pbEEaWwYvJ2ZRvfR
DICN748x426+Naco5YXZtvyJBb0eI27rjcj2yG7THeu3JHP7F4SzyJRNNyrx4NpW
eAo89mCYwPL1Ehdg+Wfbw8KJ+JsjIuE2dqFITk3PBqdEx2g=
-----END CERTIFICATE-----
  • Untuk melihat informasi pada berkas certificate tersebut, Anda dapat menggunakan perintah seperti ini:
% openssl x509 -in cert.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=24/48 L2/L4 GE Switch
        Validity
            Not Before: Nov 17 10:48:56 2005 GMT
            Not After : Nov 15 10:48:56 2015 GMT
        Subject: CN=24/48 L2/L4 GE Switch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ca:2a:7e:3e:9f:bc:bf:1f:8e:c4:c3:dd:f3:03:
                    28:0c:76:11:58:c1:d1:c8:25:62:ca:ba:b3:1f:7b:
                    2f:a2:c2:d6:43:f0:f3:e7:19:3f:79:c1:06:79:02:
                    bc:5d:65:d3:f1:b5:d5:32:bd:b5:4d:fb:d3:fb:a9:
                    a9:82:3a:9d:ae:d5:a7:b6:55:f8:59:3f:1e:88:60:
                    6c:ef:28:b7:d5:34:cc:a7:83:1b:eb:88:0e:f1:c3:
                    06:d6:2a:d8:a8:a8:62:12:82:eb:fb:2d:26:e7:6d:
                    d1:e9:c3:1f:7a:e2:c4:5f:65:4d:d5:41:80:44:ba:
                    56:3e:96:5d:ef:db:05:b9:9f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B2:77:9E:30:41:09:7D:AA:7D:95:46:8F:95:EE:23:9F:B4:54:F8:91
            X509v3 Authority Key Identifier:
                keyid:B2:77:9E:30:41:09:7D:AA:7D:95:46:8F:95:EE:23:9F:B4:54:F8:91
                DirName:/CN=24/48 L2/L4 GE Switch
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
         b5:ec:35:31:7d:47:99:ed:14:bb:4f:8e:1d:85:53:de:e4:6b:
         2e:eb:74:26:b7:58:4f:ed:7b:ad:d4:fe:68:b7:78:a5:b1:04:
         69:6c:18:bc:9d:99:46:f7:d1:0c:80:8d:ef:8f:31:e3:6e:be:
         35:a7:28:e5:85:d9:b6:fc:89:05:bd:1e:23:6e:eb:8d:c8:f6:
         c8:6e:d3:1d:eb:b7:24:73:fb:17:84:b3:c8:94:4d:37:2a:f1:
         e0:da:56:78:0a:3c:f6:60:98:c0:f2:f5:12:17:60:f9:67:db:
         c3:c2:89:f8:9b:23:22:e1:36:76:a1:48:4e:4d:cf:06:a7:44:
         c7:68
  • Selanjutnya adalah mengekstrak private key pertama yang terdapat pada offset 7021584 hingga 7022568. Caranya sama dengan langkah di atas:
% ./ekstrak.sh 7021584 7022568 id_rsa-1
984+0 records in
984+0 records out
984 bytes (984 B) copied, 0.00446352 s, 220 kB/s
  • Berikut ini adalah berkas yang berhasil diekstrak dengan tambahan 1 baris dengan kata rekibcertificate (jika kata rekib dibalik, maka akan diperoleh kata biker):
% cat id_rsa-1
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,807E79ED82260037

XI7EfExXgJVIVH4MqNvtGTz4FgiolbdfhpTRrqnJWUVEWBZnS48WOxYR4kOVrMqd
eQ/S81FYtr2QVKzltbaNpHMQUmDR0zD3sU0FLe+Qn0MF1HzqzwQonHM+E+GRsgpk
WVvPU8JCQyo7w+p9/dvs5VtiBMbjy8898GfwhSeYAEu4irj+F3VmzJLG7jKZmLFb
VBdcfxeJrUfIVxOwCGqSZ9K4L382hyPundIqfaRbU2uai3oST+WYLQMNpnpo/x3D
ajd89iYryQ/Jhl/OWHBekhIMJ3N457nwfP1GvLNV6/GhrDeflwLrrM0k8mmNiQjr
rIl4xxyWWbpVnBGVKrv4WC2fIuWe6JpojdS7oebI+x1ZrxnIW3aEmZkt1wzom7ST
SRS++hSVfyRu/w00NtprkUrqmRIKL64Yhjhcd13kruKbpNy2NJzV2EVH0ZHhGrmZ
cSZ1V2ui87FjloptQ7a2NR9cYxDUkDTof+OefQFS9Y6dyUqaR60L3JVk8eFqFP2N
YxLwkSBGUbR/FCpeSM0jQHSO2lDEEAT0OX9nnpz1+ORgfB+FTcwqepTdRSj1nhWp
cN8XfFvUCPm3p1nP5csWMwKHaCcLede1+oCEKCzpWaidSZ2zlCux2XyI3upuICzU
iwSKW2eIetnEvbblX3RKNoDl1kaRI/nF11e5uFMWKXRZgwslTAU30AP2upgrVroa
kHc4+PT+2FXpsVwzTHzowhTYaMFU04bL9f4r1+p4lahCX2N46WMWOpkZI39jYg7e
DuHWLnUirHcuXmGVISOYZfGqHIOGC5tD1yXwyQjw8ghnSzVsYrMiqw==
-----END RSA PRIVATE KEY-----
rekibcertificate
  • Hapus bagian setelah baris -----END RSA PRIVATE KEY----- dari key di atas, lalu periksa menggunakan aplikasi openssl. Ketika diminta untuk memasukkan passphrase, maka masukkan kata rekib, seperti ini:
% openssl rsa -in id_rsa-1 -check
Enter pass phrase for id_rsa-1:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDKKn4+n7y/H47Ew93zAygMdhFYwdHIJWLKurMfey+iwtZD8PPn
GT95wQZ5ArxdZdPxtdUyvbVN+9P7qamCOp2u1ae2VfhZPx6IYGzvKLfVNMyngxvr
iA7xwwbWKtioqGISguv7LSbnbdHpwx964sRfZU3VQYBEulY+ll3v2wW5nwIDAQAB
AoGAVwb72ZGB+vRmzSVUAiy1rMeWqBKnb/VIFeVQ/phU5UfiXNT46d7giFUjqCwZ
UktndYHFCVbJGYzysD9VDQ6WmcyLFO9+I3T98pur913g2L8YvC1fkxnKeg0o1Wg6
TyGCZive8bv9UWoI3ORjWxoZ1O2gHqEzRBLUMY6e8roS/UECQQDwoYMP5/oDxDl1
d/eAFirzGGXOtbOxppeGkN/9RoaMZmUIH4qd2NpC9Y/qh2jFTxf0thiaDFiYQDQK
rzWrBk9ZAkEA1xQNW05NtV6FtgNZf2WIuBcZUt9fNPt2zg5+NUSunXm9Glku8fe5
sOt1yHngaWsf9DskV3AZhW1wn1nH70PptwJARs7wNz0HCBa05clAjnN3fgNe6f3z
+8HO8u0szGX1b9ktv78wVhSa3XtPNy9TeEQ3A26WPLaHV34FEmPOgh4gOQJAPBAv
grYlYWcaNDBPSBKU0cQxoEEdF3C6RuUpPbsGgJfExZzuTUh/JPc8l1Xh4860x8HU
bk6x8d8UOowaF6mBlQJBANp/GTRvEvU2m5/sHEfBKF7i967IUccFF1GbXDuwQXNB
z58tldN8M0w2R11PlyQBCkL5U/fdh2PUivQn3qV78mk=
-----END RSA PRIVATE KEY-----
  • Selanjutnya adalah mengekstrak private key ke-2 yang terdapat pada offset 7022568 hingga 7023132:
% ./ekstrak.sh 7022568 7023132 id_rsa-2
564+0 records in
564+0 records out
564 bytes (564 B) copied, 0.00333728 s, 169 kB/s
  • Berikut ini adalah isi dari private key tersebut dalam format terenkripsi menggunakan passphrase:
% cat id_rsa-2
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6A9EC7242C2434FA

Ur9DAPPUoC/uoKEuebZLNmk7xtLFj4Pseq0mOk/dxI/Hf9VJKCOla78ouQWKtH/u
SaGjtmFraa/+7QvTHXCSCZcnFIOTJvV3juhjL3qEDU+g+EVcB1tAP47RmSOMbvsu
a0mqpg3RnPHgTNWWk/KbrW+fCFNVXIMGz0c8o51/bUMy/0xJhJZk9vRpmxuxn415
ygsYaE5VPvksomZAANtzqnYlqpPgN+RvgZIH/HgLbi6+n6qucO3wEuDyv3mcgz4Q
pj3L2hJM3X+EvMtDlj4sHkIEZgdQnqVV5s8674yq28ZVcAOZ1Nf3DXqu3kNirgBO
M/ib7SThdmHfAucJdVq8vCB/QAw3ON9MVu5Y5RoLDudVdX5Ty3a7mKMA4aEWW3ta
rZajKBI8Z5/ioZpE4+IAmcYQjipB2f0oJOzS1BQQjPs=
-----END RSA PRIVATE KEY-----
  • Untuk melakukan dekripsi, gunakan passphrase 1234 seperti ini:
% openssl rsa -in id_rsa-2 -check
Enter pass phrase for id_rsa-2:
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAMKgbGb00za8qdhXVUkg3FaQGgPgom8Ai9w9zMCt56g/lYJ31vRT
yYZYLngiyFQiQm/vU8T0BEiOV/Vx8XZqU/kCAwEAAQJAMeEjZw9/wht/++4F8YP2
dEjiIfRELOaa8Yr1Grx3DmsqvvZOj0JN0pmEW59hKKSy0eM+e9dcP+PpBBC0/aZu
AQIhAOobtON/Y5Vtgcf3RubTgyJBDUWU1/ZKnPUSDX2qYHCpAiEA1NOSRra1Wp1E
hcMSrZ6HLIUepp5+FonrpD7BaSchytECIQDPNNK4AQqNOa2C5fSVXWRVryomCgXT
8lpV9zKFpYVScQIgGXg0YjgNXgnCIIvm2VZGcQKBV4lSJ5pb0+0asl3XgnECIQDd
1woqllIE+jc9f1PQWebBai6sJCkg65GA2taUFBWYLg==
-----END RSA PRIVATE KEY-----
  • Untuk private key selanjutnya, Anda dapat mengekstraknya seperti cara di atas dan mengecek dengan menggunakan passphrase 1234.
  • Selanjutnya, dengan menggunakan perintah string dan grep, Anda dapat mencari kata backdoor pada berkas ram.bin tersebut:
% strings ram.bin | grep -i backdoor
    x : Exit TFTP Backdoor function
 TFTP Backdoor Selection
------------- IGMPSNP Backdoor Main DB Menu ------------
security backdoor
backdoor: %s: command not found
exit -- back to up menu, quit -- back to accton backdoor
CFGDB: Section handler: %lu, writing is disabled by backdoor.
Main menu of CFGDB backdoor:
  99. To exit from backdoor.
 SMTP Backdoor Selection
[RULE_MGR_BindPortOrTrunk2Acl_BackDoor]
l4 backdoor
backdoor: %s: command not found
exit -- back to up menu, quit -- back to accton backdoor
 L4_Backdoor_CpuIf_MAC_BASED_VLAN ->
 L4_Backdoor_CpuIf_MAC_BASED_MIRROR ->
 L4_Backdoor_CpuIf_SQinQ ->
 L4_Backdoor_CpuIf_IP_SUBNET_BASED_VLAN ->
 L4_Backdoor_CpuIf_MVR_REC_VLAN ->
Main menu of backdoor:
 %s --- To exit from backdoor.
 GARP Backdoor Selection
    x : Exit GARP Backdoor function
==========AMTR BackDoor Menu================
SWCTRL_BACKDOOR_DEBUG_FLAG_ALL
SWCTRL_BACKDOOR_DEBUG_FLAG_MDIX
SWCTRL_BACKDOOR_DEBUG_FLAG_AMTR(Temp)
SWCTRL_BACKDOOR_DEBUG_FLAG_PORT_OPER_STATUS_CHANGED
SWCTRL_BACKDOOR_DEBUG_FLAG_CALLBACK_NOTIFY
SWCTRL_BACKDOOR_DEBUG_FLAG_NONE
==== SWCTRL Private VLAN Backdoor =============
==============Backdoor for Storm==============
==== VLAN Mirror SWCTRL Backdoor ====
==== Selective QinQ Backdoor ========
    x : Exit LACP Backdoor function
 LACP Backdoor Selection
LACP backdoor input exceed boundry
FS_BACKDOOR_DumpFile
FS_BACKDOOR_DirInfo
FS_BACKDOOR_FileCopy
FS_BACKDOOR_StressTest
==========AMTRDRV BackDoor Menu================
    NMTRDEV BACKDOOR MENU
==========SWDRV BackDoor Sub Menu===[Port]=====
==========SWDRV BackDoor Menu================
 3. Enter Chip Backdoor
Enter Broadcom backdoor
ERROR: Cannot rusume backdoor debug tSOC-CLI task!
RULE_CTRL_DumpGlobalAce_BackDoor
 CPU storm Backdoor Selection
-----LAN BACKDOOR MENU:-----
  LAN Backdoor Menu
Press (0=lan new backdoor, 1=rx packet count, 2=buffer info,
 Trap Backdoor Selection
SNTP_MGR: SNTP Backdoor Selection
LEDDRV_BACKDOOR_SetLED
LED Driver BACKDOOR OK!!
======== VLAN Mirror Backdoor =======
n   : run VLAN mirror backdoor
r   : Run Dot1qTunnel(QinQ) backdoor
m   : get new backdoor for marvell queue and register
============== new backdoor for Marvell =========================
==============backdoor for Mcast and Unkucast ==============
==== Dot1qTunnel (QinQ) Backdoor =================================
p : enter private backdoor
==== Private VLAN Backdoor ==============
DEV_SWDRVL4_BackdoorForPrivateVlan
    x : Exit TFTP Backdoor function
 CLUSTER Backdoor Selection
LLDP Backdoor!!
security backdoor
backdoor: %s: command not found
exit -- back to up menu, quit -- back to accton backdoor
WEBAUTH Backdoor!!
 WEBAUTH_BACKDOOR_SetSuccessHostByPort ret %lu
 WEBAUTH_BACKDOOR_SetBlackHostByPort ret %lu
 WEBAUTH_BACKDOOR_SetTryingHostByPort ret %lu
===============Stack Management BackDoor Menu================
========== SYSCTRL_XOR_MGR BackDoor Menu ==========
SYSCTRL_XOR_MGR_BackDoorPermitBeingSetToPrivatePort
 LBD Backdoor Menu
 x - Exit backdoor
NTP_MGR: NTP Backdoor Selection
1.Backdoor functions
Please enter the password to enter backdoor function
 debug backdoor
 Snmp Backdoor Selection
==========DHCPSNP BackDoor Menu================
Add an entry failed by backdoor!!
  • Pada offset 8142844 hingga 9284792, terdapat informasi copyright yaitu Copyright string: "Copyright(C) Accton Corporation, 1999, 2000". Jika Anda memperhatikan bagian tersebut, maka Anda akan menemukan beberapa string berikut ini:
input:
testtesttesttesttesttesttesttest
Taiwan
Hsinchu
Science-based industrial park!!!!
Creation Rd. III
Accton Technology Corporation
gfff
xml/devicedesc.xml
http://%s:%d/%s
3051a8d7aea73801e0bfbc539dd60cf3
  • Selain itu, jika Anda mencari kata password, maka Anda akan menemukan bagian seperti ini:
% strings ram.bin | grep 'password' | head -3
username admin password 7 21232f297a57a5a743894a0e4a801fc3
username guest password 7 084e0343a0486ff05530df6c705c8bb4
enable password level 15 7 1b3231655cebb7a1f783eddf27d254ca
  • Bagian akhir dari password di atas menggunakan hash md5 dan berikut ini adalah informasi untuk setiap hash md5 tersebut:
21232f297a57a5a743894a0e4a801fc3 = admin
084e0343a0486ff05530df6c705c8bb4 = guest
1b3231655cebb7a1f783eddf27d254ca = super
  • Masih ada banyak string menarik pada firmware tersebut. Berikut ini adalah beberapa diantaranya:
h=50.1.1.1 u=Gemstone pw=Gemstone o=MAC0-
...
***************************************************************
<comp>
WARNING - MONITORED ACTIONS AND ACCESSES
<dep>
<manager-info>
Station's information:
<loc>
<manufacturer> - <id>
Floor / Row / Rack / Sub-Rack
<equ-floor> / <equ-row> / <equ-rack> / <equ-sub-rack>
DC power supply:
Power Source A: Floor / Row / Rack / Electrical circuit
<pw-floor> / <pw-row> / <pw-rack> / <pw-ec>
Number of LP: <num>
Position MUX: <mux>
IP LAN: <ip>
Note: <note>
***************************************************************
<comp>
<dep>
<manager-info>
<loc>
<manufacturer>
<id>
<equ-floor>
<equ-row>
<equ-rack>
<equ-sub-rack>
<pw-floor>
<pw-row>
<pw-rack>
<pw-ec>
<num>
<mux>
<ip>
<note>
WARNING : Access to this system is restricted solely to AT&T
authorized personnel and is limited to use for legitimate
business purposes only. This system is not permitted to be
accessed by AT&T users, customers, or other personnel, unless
specifically authorized in writing by AT&T. Unauthorized use or
access to this system by customers or users may represent a
breach of contract and/or violation of law, and may subject the
customer or user to adverse legal action, including but not
limited to termination of their AT&T services. If you have
accessed this system in error, please terminate your access
immediately.
Company:
Failed to set company.
Responsible department:
Failed to set department.
Name and telephone to Contact the management people
Manager1 name:
 phone number:
Failed to set manager information.
Manager2 name:
Manager3 name:
The physical location of the equipment.
City and street address:
Failed to set equipment location.
Information about this equipment:
Manufacturer:
ID:
Floor:
Row:
Rack:
Shelf in this rack:
Failed to set equipment information.
Information about DC power supply.
Electrical circuit: :
Failed to set DC power information.
Number of LP:
Failed to set LP number.
Position of the equipment in the MUX:
  • Dari sini, Anda dapat melakukan analisa lanjutan, misalnnya dengan men-disassemble firmware tersebut menggunakan aplikasi seperti IDAPro atau radare.


Penutup

Sekian tutorial kali ini, semoga bermanfaat. Terima kasih kepada Tuhan Yang Maha Esa, Maxindo, N3 dan Anda yang telah membaca tutorial ini.


Referensi