Technology sharing: Reverse cracking Huawei Routers Part II

Citation

In the first part, I debug through the UART, and finally take advantage of the command line page to take advantage of the shell command to get root privileges. At this point, I can already access the router, and then I can debug the router like a tester. At the beginning, it feels that the router is relatively easy to access, does not require expensive tools, and often produces very interesting results. If you want to reverse work in the hardware direction, but there is no time. This tends to be less than a higher level, such as network vulnerabilities, ISP protocols, and so on.

This article only represents the intention of the original author, at the same time, the tools and techniques introduced in this article are offensive, please use it legally and legitimately.

Review

Are the results of the previous analysis.

Press Enter and you will see the "Welcome to ATP Cli" message along with a login prompt. After trying, we can use the default password admin:admin to login successfully, then we get busybox.

------------------------------------Welcome to ATP Cli-------------------------------------Login:adminpassword: #Password is' Admin'Atp>Shellbusybox vv1.9.1( -- ,- in  One: the:xxCST) built-inchShell (ASH) Enter' Help'  forA list of built-inchcommands.# lsvarusr tmp sbin proc mnt lib Init etc Dev bin

Here we can analyze the three levels of the firmware (Ralink IC)

U-boot: Device boot program. You can analyze memory mappings to a device, start a firmware program, and perform some relatively low-level tasks.

ATP: Can control bare metal, parallel processing and so on. Can basically be seen as a Linux kernel.

Busybox: A toolkit that integrates some of the most common Linux commands and tools, and it also provides us with some shell commands.

If you get low-level access throughout the process, you certainly don't have access to all the data. But the proper use of busybox here is a good opportunity. Now I'm concentrating on the boot sequence, and some of the data shown in the boot process is important, so let's see what I can use.

Boot order

There are multiple random entries in the boot order, and of course some other information, such as the compression algorithm (Flash segments)

Intel's flash memory is useful, and in this I can analyze it.

For more information

When we access the flash data, we need to deal with the compression algorithm so that we can better understand what is being used.

ATP and BusyBox

The Ralink IC in the router, which is mainly and firmware (ATP) to control the storage unit and parallel processing of data, while ensuring the working state of the hardware. That is, it (ATP) can be thought of as a Linux kernel, previously known as the ATP CLI, but very limited.

atp>"? " At the end of command. ATP;? clsdebughelpsave? EXITATP>

The help command is not mentioned in the shell command here, but it usually appears in SH and the shell. There are less than 10 commands in the ATP CLI, of course there is no complex control file and file navigation, which is why BusyBox appears.

BusyBox contains binaries as well as common UNIX commands, which are easy to develop and worth noting is the memory savings. From LS, cd command to top, the system starts the script, which allows me to use the Ralink IC as a Linux box.

Enter BusyBox to see the shell commands, and to run these commands

Atp>Shellbusybox vv1.9.1( -- ,- in  One: the:xxCST) built-inchShell (ASH) Enter' Help'  forA list of built-inchcommands.# lsvarusr tmp sbin proc mnt lib init etc dev bin## ls/binzebra swapdev PrintServer ln ebtables catwpsd startbsp PPPC klog DNS busyboxwlancmd SNTP ping kill dms Brctlweb smbpasswd N TFS-3g Iwpriv Dhcps atserverusbserver smbd nmbd iwconfig dhcpc atmcmdusbmo         UNT sleep netstat iptables ddnsc atcmdupnp siproxd Mount IPP date           Atupg sh mldproxy ipcheck cwmp ashumount scanner mknod IP         CP adslcmdtr111 RM mkdir igmpproxy console acltr064 RIPD     Mii_mgr hw_nat cms actelnetd reg Mic Ethcmd clitc radvdump LS equipcmd chownSwitchPS Log echo chmod#

You will notice the difference between the BusyBox and the parsing file system, such as the BusyBox link file/bin/, which is not a good start and the sensitive data will not be stored here (BusyBox binary).

Analyzing file Systems

Now that I've come up with the commands that are available, and then see what useful data is there, I don't want to show the details of each of them after I have a general understanding of the system. The top command is used here, and the top command shows the program process in progress, with all users. Although the router is currently idle, no more information is displayed.

There is a process display running usbmount, and here the router's USB interface also plays a role, plug in a U disk.

1-1newusing2[...] 2374 renice=renice-n +ten1423

After inserting, the installation location is/mnt/usb1_1/, and then a samba server is started, and these related files are all in/etc/samba/

# ls-l/etc/samba/-rw-r--r--1 0        0             103smbpasswd-rw-r--r--1 0        0               0smbusers-rw-r--r--1 0        0             480smb.conf-RW-------1 0        0            8192secrets.tdb# Cat/etc/samba/Smbpasswdnobody:0: Xxxxxxxxxxxxxxxxxxx:564e923f5af30j373f7c8_______4d2a:[u]:lct-1ed36884:

More data

NETSTAT-A: See which ports are open

Iptables–list: We can set up remote logins and continue to connect to the network, but I prefer to maintain bare-metal status.

Wlancmd Help: Remote control of the wireless signal.

/etc/profile

/etc/inetd

/etc/services

/var/: The file location used by the system when it is running

/etc/: System configuration files, etc.

/var/and/etc/These locations all contain a lot of files, so what's the/ETC/SERVERKEY.PEM situation?

It is normal to find the TLS certificate (private key) in the embedded device, and in a single model the device can get the private key, which also helps you to detect the same type of device. This private key can be obtained from the service provider, on the other hand, it is also common to obtain public certificates for remote server communication. I found two here, both of which are from "the same person's signature."

/ETC/SERVERCERT.PEM: Most likely a server key

/ETC/ROOT.PEM: You can connect to the server (not sure)

More data on/etc/ppp256/config and/etc/ppp258/config:

The information that validates the identity credential is also passed through the HTTP interface, which is why I proposed this concept and will mention it later. With so much information that may take more time to analyze, it is necessary to use the previous disk to replicate the data for analysis.

Collect information

Once you have copied the collected data information to your computer, you can search for some files find. -name *.pem, but no other TLS certificate is present. Want to search the file for password swelling? Grep-i-R password.

Here I can see the certificate information, mainly provided to the TR-069, the local service and the stun protocol, stun is a network protocol, which allows clients located in NAT (or multiple NAT) to find their own public address, Find out what type of nat you are in and the Internet port that NAT is bound to for a local port. Of course, these can all be implemented via HTTP interfaces, but these are usually hidden. If you want to believe that you can read this article "Beyond Your Cable Modem", there are a lot of TR-069 protocols and other things to know. I can also get the certificate information in the BASE64 format, but the data encryption is slightly less.

$ echo "qujcnfvctu4=" | Base64-Dabb4ubmn

This is the WiFi password set in the router, it shows us two interesting files, not only refers to the content, but the router in the work of an important component

/var/curcfg.xml: The current profile, mainly includes the WiFi password (base64 format) that was set at that time.

/etc/defaultcfg.xml: The default profile, which is used to restore the factory settings, but does not include the default password information for the router.

ATP (CLI)

The ATP (CLI) provides only a small number of commands, the most interesting of which is-shell-debugging, but it does not look like a real debug (debug display), but just gives me some commands igmpproxy, CWMP, Sysuptime and Atpversion, but that's not much use. I am considering whether the CWMP command can play a role, is it related to the remote configuration of the router?

It is important to note that CWMP (TR-069) is also associated with routers remotely, and may not even have encoding time. And at this point the rest (ATP) commands are useless, clear screen, Help menu, save, and exit, which seem to have little effect on this step.

Bootstrapper Command Line interface

The bootstrapper command-line interface can access some memory areas, but unfortunately, it does not give me permission to directly access the flash memory chip, the following can see the relevant information

Please choose operation:3: Boot system code via Flash (default). 4: Entr boot command lineInterface. You choosed4Stopped Uboot WatchDog Timer.4: System Enter Boot Command line interface.u-boot1.1.3(In in  -- One: -: +) RT3352 # Help? -Alias for ' Help'Bootm-Boot Application image fromMEMORYCP-Memory Copyerase-Erase SPI FLASH Memorygo-Start application at address'Addr' Help-Print online HELPMD-Memory Displaymdio-Ralink PHY Register r/w command!!mm-Memory Modify (auto-incrementing) MW-Memory Write (fill) nm-memory Modify (constant address) printenv-Print Environment Variablesreset-Perform RESET of the Cpurf-read/Write RF registersaveenv-Save Environment variables to persistent storagesetenv-SetEnvironment Variablesuip-uip commandversion-Print Monitor versionRT3352 #

It is important to note that do not enable these commands erase, MM, MW and NM, unless you need to use these, of course, these should not be related to this step, in some cases will cause the device to restart, and then the device becomes a brick. In this case, the MD (memory display) as well as the printenv command caught my attention.

RT3352 # Printenvbootcmd=Tftpbootdelay=2baudrate=57600ethaddr="00:aa:bb:cc:dd:10"ipaddr=192.168.1.1ServerIP=192.168.1.2Ramargs=setenv Bootargs root=/dev/Ram Rwaddip=setenv Bootargs $ (Bootargs) ip=$ (IPADDR): $ (ServerIP): $ (GATEWAYIP): $ (netmask): $ (hostname): $ (Netdev): Offaddmisc=setenv Bootargs $ (Bootargs) console=ttys0,$ (baudrate) ethaddr=$ (ethaddr) panic=1flash_self=Run Ramargs Addip Addmisc;bootm $ (kernel_addr) $ (ramdisk_addr) kernel_addr=bfc40000u-boot=u-Boot.binload=tftp 8a100000 $ (Uboot) U_b=protect off1:0-1; era1:0-1; cp.b 8a100000 BC400000 $ (filesize) Loadfs=tftp 8a100000 root.cramfsu_fs=era bc540000 bc83ffff;cp.b 8a100000 BC540000 $ (filesize) test_tftp=tftp 8a100000 root.cramfs;run Test_tftpstdin=Serialstdout=Serialstderr=serialethact=eth0 (Ten/ --M) Environment Size:765/4092bytes

I can see the baud rate setting information similar to the UART, and some interesting storage cell addresses. These address information should not be flash, although its memory needs only three bytes to be able to handle: [0x00000000, 0x00ffffff].

Let's take a look at all the useful information here, access to the interface and the like, how about this kernel_addr=bfc40000?

There is information about badd, which means that the address is invalid. It has been hard coded by the MD command to let you know that you are trying to access an invalid memory address, which is not a good scheme, but has no access to the previous boot information.

It is important to note that I have stopped the process of loading the Linux kernel into memory through the bootloader command line interface, so this interface has limited access to the information.

I can use this method in memory (SPI Flash image string encoding) to find random data, but this has no special meaning, just use it to familiarize yourself with the storage structure, for example, there are significant changes in the 0x000d0000 location.

After using the MD command, you can see the changes in the 0x000d0000 location.

Future articles will be combined with firmware information to analyze detailed data and to get more data from the system direction.

* Reference source : Jcjc-dev

Technology sharing: Reverse cracking Huawei Routers Part II