Lab Setup - iOT - Security Assessment Flow | Educational Purpose

iOT Security Assessment

Step 1: Install on your linux machine:

Tools Pre-requisite:
1. hexdump
hexdump is a Unix command-line tool that displays the raw byte content of a file in hexadecimal (hex) and sometimes ASCII format. It’s commonly used for analyzing binary files, firmware, memory dumps, or even debugging data structures.
2. binwalk + squashfs
Binwalk is a powerful forensic and reverse engineering tool used primarily for analyzing and extracting firmware images. It's widely used in embedded device security testing, firmware analysis, and reverse engineering.
3. firmadyne
Firmadyne is an automated firmware emulation and dynamic analysis framework designed to help security researchers emulate, instrument, and analyze Linux-based firmware images, especially for embedded devices like routers, IP cameras, and smart home devices.

Step 2: Get the device and extract the firmware file.
Let's assume we have a Netgear IOT device model number is WNAP 320, extracted firmware.bin file to perform security assessment.

Static Analysis:
Tools used: Hexdump & BinWalk

Step 3: Identify the firmware format binaries before start perform testing.
Tool used hexdump:


Note: qshs.....W....F.... is means by SquashFS (short for Squashed File System)

Step 4: To confirm that the firmware is built by the SquashFS file system, used by the binwalk tool.


Step 5: Now we have successfully extracted the _firmware.bin.extracted file into source code.


Step 6: Extract and view the complete firmware code written in .php code.



Dynamic Analysis:
Tools Used: Firmadyne:

Commands:
nano firmadyne.config > Modify User Access Name
sudo python3 sources/extractor/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images

Command Parts Breakdown:

PartExplanation
  • sudo
  • Runs the command with root privileges. Required if the script needs access to protected system resources (e.g., mounting filesystems).
  • python3
  • Specifies the use of Python 3 interpreter.
  • sources/extractor/extractor.py
  • Path to the Python script named extractor.py, probably used to extract or analyze firmware files.
  • -b Netgear
  • Specifies the brand of the firmware. In this case, it’s for Netgear devices.
  • -sql 127.0.0.1
  • Connects to a local SQL database (probably to log or store metadata about the extracted firmware).
  • -np
  • Likely stands for "no processing", "no plugins", or similar—skips post-processing or analysis steps.
  • -nk
  • Possibly means "no keyword" or "no keep"—the exact behavior depends on the script, but it likely disables retaining certain metadata or skipping keyword extraction.
  • "WNAP320 Firmware Version 2.0.3.zip"
  • The input file—a ZIP archive containing firmware for the Netgear WNAP320 access point, version 2.0.3.
  • images
  • Target output directory where extracted firmware files (or images like squashfs, cramfs, etc.) will be saved.

sudo bash scripts/getArch.sh images/1.tar.gz
PartMeaning
  • sudo
  • Runs the command with root privileges. Necessary if the script accesses low-level system info or needs to mount/unpack system files.
  • bash
  • Runs the script using the Bash shell.
  • scripts/getArch.sh
  • The path to the shell script file named getArch.sh, which is located in the scripts/ directory. This script is likely used to detect or extract architecture info from the given file.
  • images/1.tar.gz
  • The input file, probably a compressed firmware or root filesystem tarball. It was likely generated in a prior extraction step (e.g., using extractor.py).

sudo python3 scripts/tar2db.py -i 1 -f images/1.tar.gz
Part Meaning
  • sudo
  • Runs the command with root privileges, needed for file access or database interaction.
  • python3
  • Uses the Python 3 interpreter.
  • scripts/tar2db.py
  • A Python script in the scripts/ folder. It processes a tarball of an extracted firmware filesystem and stores its data into a PostgreSQL database.
  • -i 1
  • Specifies the firmware ID as 1 — this ID links all the data (filesystem info, network settings, etc.) for that firmware in the database.
  • -f images/1.tar.gz
  • Input file: a compressed tarball of the extracted firmware's filesystem. This is created earlier in the process (usually by extractor.py).

sudo bash scripts/makeImage.sh 1
PartMeaning
  • sudo
  • Runs the command with root privileges, which might be necessary for file operations like mounting, creating images, or setting permissions.
  • bash
  • Invokes the Bash shell to execute the script.
  • scripts/makeImage.sh
  • Path to the Bash script makeImage.sh, located in the scripts/ directory. Judging by the name, this script likely creates a firmware image or filesystem image from extracted contents.
  • 1
  • This is likely a firmware ID, input number, or a reference to a previously extracted directory (e.g., images/1/).
sudo bash scripts/inferNetwork.sh 1
PartDescription
  • sudo
  • Runs the command with root privileges, likely needed if the script accesses raw files, mounts filesystems, or parses sensitive network config files.
  • bash
  • Executes the script using the Bash shell.
  • scripts/inferNetwork.sh
  • Refers to a shell script named inferNetwork.sh located in the scripts/ directory. From the name, it suggests it will try to infer or analyze network-related information from the firmware.
  • 1
  • A likely firmware ID corresponding to a specific extracted image (e.g., images/1/ or database entry with ID 1).
sudo bash scratch/1/run.sh
PartDescription
  • sudo
  • Runs the command with root privileges, required if the script performs privileged operations like setting up a virtual network, mounting images, or using QEMU.
  • bash
  • Uses the Bash shell to execute the script.
  • scratch/1/run.sh
  • This is the run script located at scratch/1/. The folder 1 likely corresponds to firmware ID 1. The script is usually auto-generated during firmware emulation setup (e.g., with tools like FirmAE, [Firmadyne-mod], or [Firmwalker]) and is used to boot/emulate the firmware.
http://192.168.0.100







We have successfully replicated the application dashboard of the Netgear WNAP320 access point device, accurately emulating its interface and core functionality for testing and development purposes.

Comments

Post a Comment

Popular posts from this blog

Burp Suite – Automated Vulnerabilities Findings

Image
  Burp Suite – Automated Vulnerabilities Findings Step 1:  Intercept with burp suite, which contains parameter values. Step 2: Forward the request to the Intruder option in Burp Suite. Step 3:  Set up the automated scan by right-clicking, selecting "Scan Defined Insertion Points" and opening the "Scan launcher". Step 4:  Wait until the scan is finished, and then check for the results with vulnerabilities. Step 5: Manual Validation
Read more

Havij - Advanced Automated SQL Injection

Image
Tool Name: Havij (Educational Purpose Only) Description: Havij is an automated SQL injection tool designed for penetration testers to identify and exploit SQL injection vulnerabilities in web applications. It streamlines the testing process, allowing security professionals to efficiently assess the security of a website's database interactions. Download URL:  https://www.darknet.org.uk/2010/09/havij-advanced-automated-sql-injection-tool/ Step 1:  Enter the application target link in the Havij tool and click analyze . Step 2: Get the application details from the Info Section. Step 3: Get the application database's from the  Tables  section. Step 4: Get the application database records with columns details. Successfully logged in the application as shown in the below screenshots.
Read more

SQL Injection Attacks | Shahul Hameed

Image
Lab 1:   SQL injection UNION attack, determining the number of columns returned by the query Introduction      This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.      To solve the lab, determine the number of columns returned by the query by performing an  SQL injection UNION  attack that returns an additional row containing null values. Solutions: Use Burp Suite to intercept and modify the request that sets the product category filter. Modify the  category  parameter, giving it the value  '+UNION+SELECT+NULL-- . Observe that an error occurs. Modify the  ...
Read more