Firmanal is an automated firmware analysis tool based on Firmadyne, and it currently only works on Arch Linux.
After cloning this repository, edit the MAIN_DIR variable in the configure.sh.
Then execute the setup.sh, which will set up the environment.
./scripts/setup.sh
All pre-built binaries (console, libnvram, kernels) have been included in this repository.
You may, if you want, compile those binaries by yourself using the ./scripts/compile_bin.sh.
- Set
MAIN_DIRinconfigure.shto point to the root of this repository. - Download a firmware image, e.g. v2.0.3 for Netgear WNAP320.
wget http://www.downloads.netgear.com/files/GDC/WNAP320/WNAP320%20Firmware%20Version%202.0.3.zip
- Use the extractor to recover only the filesystem, no kernel (
-nk), no parallel operation (-np), populating theimagetable in the SQL server at127.0.0.1(-sql) with theNetgearbrand (-b), and storing the tarball inimages../scripts/extractor.py -b Netgear -sql 127.0.0.1 -np -nk "WNAP320 Firmware Version 2.0.3.zip" images
- Load the contents of the filesystem for firmware
1into the database, populating theobjectandobject_to_imagetables../db/import.py -i 1 -f ./images/1.tar.gz
- Create the QEMU disk image for firmware
1.sudo ./qemu/scripts/makeImage.sh 1
- Infer the network configuration for firmware
1. Kernel messages are logged to./qemu/vm/1/qemu.initial.serial.log../qemu/scripts/inferNetwork.sh 1
- Emulate firmware
1with the inferred network configuration. This will modify the configuration of the host system by creating a TAP device and adding a route. UseCtrl-a + xto terminate the guest../qemu/vm/1/run.sh
- The system should be available over the network, and is ready for analysis. Kernel messages are logged to
./qemu/vm/1/qemu.final.serial.log../anal/dynamic/snmpwalk.sh 192.168.0.100./anal/dynamic/webAccess.py 1 192.168.0.100 log.txtmkdir exploits && ./anal/metasploit/runExploits.py -t 192.168.0.100 -o exploits -e all(requires Metasploit Framework)sudo nmap -O -sV 192.168.0.100
- The following scripts can be used to mount/unmount the filesystem of firmware
1. Ensure that the emulated firmware is not running, and remember to unmount before performing any other operations.sudo ./qemu/scripts/mount.sh 1sudo ./qemu/scripts/umount.sh 1
- To delete the firmware, use the
delete.sh.
./scripts/delete.sh 1
During development, the database was stored on a PostgreSQL server.
Below are descriptions of tables in the schema.
brand: Stores brand names for each vendor.
| Column | Description |
|---|---|
| id | Primary key |
| name | Brand name |
image: Stores information about each firmware image.
| Column | Description |
|---|---|
| id | Primary key |
| filename | File name |
| brand_id | Foreign key to brand |
| hash | MD5 |
| rootfs_extracted | Whether the primary filesystem was extracted |
| kernel_extracted | Whether the kernel was extracted |
| arch | Hardware architecture |
| kernel_version | Version of the extracted kernel |
object: Stores information about each file in a filesystem.
| Column | Description |
|---|---|
| id | Primary key |
| hash | MD5 |
object_to_image: Maps unique files to their firmware images.
| Column | Description |
|---|---|
| id | Primary key |
| oid | Foreign key to object |
| iid | Foreign key to image |
| filename | Full path to the file |
| regular_file | Whether the file is regular |
| permissions | File permissions in octal |
| uid | Owner's user ID |
| gid | Group's group ID |
| mime | Mime type |
| score | The score of analysis |
product
| Column | Description |
|---|---|
| id | Primary key |
| iid | Foreign key to image |
| url | Download URL |
| mib_filename | Filename of the SNMP MIB |
| mib_hash | MD5 of the SNP MIB |
| mib_url | Download URL of the SNMP MIB |
| sdk_filename | Filename of the source SDK |
| sdk_hash | MD5 of the source SDK |
| sdk_url | Download URL of the source SDK |
| product | Product name |
| version | Version string |
| build | Build string |
| date | Release date |
(TODO)
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent