Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Help Required: Reverse Engineering Firmware

  • 05-01-2014 11:22pm
    #1
    Closed Accounts Posts: 3,981 ✭✭✭


    Hello there.

    For the past while I've been playing around with various router and modem firmware from a wide variety of vendors. I usually unpack the filesystem and go from there. This led me to find a backdoor in a storage device Zyxel use, however this backdoor was already discovered and released back in 2010 and remains unpatched which tells you a lot about this sketchy company.

    So now I'm looking at more Zyxel firmware because I believe there to be further dodgy stuff on their devices and as I understand it, lots of Irish ISPs use them.

    I'm looking at the following firmware: ftp://ftp2.zyxel.com/WRE2205_v2/firmware/WRE2205 v2_V1.00(AANK.1)C0.zip

    I've unpacked it using binwalk and found squashfs on there.

    If you make your way to /etc/boa you'll find config files for the boa webserver. This is an open source web server. Of interest here is boa.passwd which contains the following:
    root:$1$iNT/snisG/y7YBVbw0tQaaaA
    

    boa.conf references this file as follows:
    Auth /  /etc/boa/boa.passwd
    

    So this hash is interesting. I was thinking it was md5 or base64 encoded or something like that but it isn't. John the Ripper doesn't recognize it either.. When I look at the code for boa, I notice it uses djb2 which is detailed here: http://www.cse.yorku.ca/~oz/hash.html

    Have any of you dealt with djb2 hashes before? Any idea how to crack this hash?

    I figured I would post this as it would be a learning experience for us all. :)


Comments

  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Well that algorithm is as simple as they come. I'd throw together a C++ program using it, read in from a dictionary file, hash the contents then compare.

    Might give this a whirl tomorrow if I get the time.

    Might also be worth trying to add it to hashcat for GPU goodness.


  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    Yeah I was thinking of doing that, but you're left with an unsigned long after you run the hash. Should you convert that to ascii then, and compare?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I'd do whatever boa does, tbh. In essence I'd take their hash generation algorithm and write an app that reads from a dictionary and uses it. There might already be some other tool that does it. That hash seems to be focused on speed, meaning you could give it a good hiding with hashcat and the "best 64" option if you could hack it into that.

    I'm hitting the hay, but I'll have a squizz when I get the chance (hopefully tomorrow).

    Interesting stuff though. As myself and a good friend would say " That's good flutin' "


  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    That's the thing, boa hides what they do quite well as they have their own lexer and parser in there. There's a yyparse function but I can't get at it. It's a bit over my head at that point.

    Sleep well my man. :)


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    The djb2 you are referring to is only used as a key/value pair lookup.
    Look in the source code in hash.c
    /*
     * There are two hash tables used, each with a key/value pair
     * stored in a hash_struct.  They are:
     *
     * mime_hashtable:
     *     key = file extension
     *   value = mime type
     *
     * passwd_hashtable:
     *     key = username
     *   value = home directory
     *
     */
    
    struct _hash_struct_ {
        char *key;
        char *value;
        struct _hash_struct_ *next;
    };
    
    typedef struct _hash_struct_ hash_struct;
    
    static hash_struct *mime_hashtable[MIME_HASHTABLE_SIZE];
    static hash_struct *passwd_hashtable[PASSWD_HASHTABLE_SIZE];
    
    #ifdef WANT_ICKY_HASH
    static unsigned four_char_hash(char *buf);
    #define boa_hash four_char_hash
    #else
    #ifdef WANT_SDBM_HASH
    static unsigned sdbm_hash(char *str);
    #define boa_hash sdbm_hash
    #else
    static unsigned djb2_hash(char *str);
    #define boa_hash djb2_hash
    #endif
    #endif
    

    boa doesn't normally support HTTP Auth. However support is added via a patch: http://sourceforge.net/p/boa/patches/18/

    You can see it supports crypt(), MD5/BASE64. Password can be authenticated against OS passwd file or against specified one.

    The firmware you posted above seems to have applied this patch.
    However its been modified a lot, and they seem to have included a lot of extra code into the web server for functionality specific to the router.

    In the patch above, you have a method called auth_check_userpass which does all the credential authentication.

    But in the firmware you posted, auth_check_userpass doesn't exist in the binary webs. But auth_check_userpass2 does. This looks to verify that a user of admin/admin, or 1234/1234 or admin/1234 (not sure which combination) has access to "/"


  • Advertisement
  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    The djb2 you are referring to is only used as a key/value pair lookup.
    Look in the source code in hash.c
    /*
     * There are two hash tables used, each with a key/value pair
     * stored in a hash_struct.  They are:
     *
     * mime_hashtable:
     *     key = file extension
     *   value = mime type
     *
     * passwd_hashtable:
     *     key = username
     *   value = home directory
     *
     */
    
    struct _hash_struct_ {
        char *key;
        char *value;
        struct _hash_struct_ *next;
    };
    
    typedef struct _hash_struct_ hash_struct;
    
    static hash_struct *mime_hashtable[MIME_HASHTABLE_SIZE];
    static hash_struct *passwd_hashtable[PASSWD_HASHTABLE_SIZE];
    
    #ifdef WANT_ICKY_HASH
    static unsigned four_char_hash(char *buf);
    #define boa_hash four_char_hash
    #else
    #ifdef WANT_SDBM_HASH
    static unsigned sdbm_hash(char *str);
    #define boa_hash sdbm_hash
    #else
    static unsigned djb2_hash(char *str);
    #define boa_hash djb2_hash
    #endif
    #endif
    

    boa doesn't normally support HTTP Auth. However support is added via a patch: http://sourceforge.net/p/boa/patches/18/

    You can see it supports crypt(), MD5/BASE64. Password can be authenticated against OS passwd file or against specified one.

    The firmware you posted above seems to have applied this patch.
    However its been modified a lot, and they seem to have included a lot of extra code into the web server for functionality specific to the router.

    In the patch above, you have a method called auth_check_userpass which does all the credential authentication.

    But in the firmware you posted, auth_check_userpass doesn't exist in the binary webs. But auth_check_userpass2 does. This looks to verify that a user of admin/admin, or 1234/1234 or admin/1234 (not sure which combination) has access to "/"

    Cheers Damo. I pulled up auth_check_userpass2 last night in IDA Pro and found the admin/1234 hidden there. Surely this is separate though?

    I did see base64 encode/decode, and some md5 functions in this binary as well.

    The $1$ made me think this was md5 but nothing recognizes it as such.


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    [-0-] wrote: »
    Cheers Damo. I pulled up auth_check_userpass2 last night in IDA Pro and found the admin/1234 hidden there. Surely this is separate though?

    I did see base64 encode/decode, and some md5 functions in this binary as well.

    The $1$ made me think this was md5 but nothing recognizes it as such.

    Its md5. Md5 you see in the code might just exist as its present in original source code. Not sure if its used anywhere. Normally the hash entry with $1$ is using Apache like format with a salt, probably why jtr and hash-identifier don't recognise it. I cannot find any code yet that uses that external password file, but I stopped looking after I seen the hardcoded credentials. The base64 you see base64decodes the username/password submitted via the authentication request. Then auth_check_userpass2 is called.


  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    So I had gone as far as I could have without knowing it really. Good to know!

    Do you have any recommended assembly & ida pro books Damo?

    I bought these:
    http://www.amazon.com/gp/product/0764579010
    http://www.amazon.com/gp/product/1478119209


  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    [-0-] wrote: »
    So I had gone as far as I could have without knowing it really. Good to know!

    Do you have any recommended assembly & ida pro books Damo?

    I bought these:
    http://www.amazon.com/gp/product/0764579010
    http://www.amazon.com/gp/product/1478119209

    I'm not really sure. I'm not really good at this stuff and just try google my way through it. However for MIPS assembly, these might be worth a look:

    http://www-id.imag.fr/~briat/perso.html/NACHOS/NACHOS_DOC/04-MIPSintro.pdf
    http://chortle.ccsu.edu/AssemblyTutorial/index.html


  • Moderators, Society & Culture Moderators Posts: 24,427 Mod ✭✭✭✭robindch


    [-0-] wrote: »
    Do you have any recommended assembly [...]
    Here's one that I think I remember reading about 20 years ago abnd not finding too bad:

    http://css.csail.mit.edu/6.858/2012/readings/i386.pdf

    I haven't used IDA since shortly after it came out whenever that was, so can't offer any help there. On the odd occasion I've had to delve into Win32 at the processor level, I use OllyDbg in preference to windbg, and that in preference to the VC++ 6.0 machine debugger. Haven't used anything beyond VC6 at the machine level though I gather they've come on, though only a little.


  • Advertisement
  • Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q




  • Closed Accounts Posts: 3,981 ✭✭✭[-0-]


    Legend!


  • Registered Users, Registered Users 2 Posts: 7 mister_minn


    Interesting looking course on Coursera for those of us who have a bit of catching up to do.


  • Registered Users, Registered Users 2 Posts: 1 JohnDMcDonnell


    You probably already know that user 'admin' with password 'admin1234' is a popular default password on many routers, vodafone presently use it on their HG658c for example.


Advertisement