IoT Hacking - Netgear AC1750 NightHawk - UART Root Shell
ฝัง
- เผยแพร่เมื่อ 21 เม.ย. 2024
- ** NOTE: Audio is terrible. It was recorded using the wrong mic the entire time. **
In this video we show my initial look at the Netgear AC1750 NightHawk device where I drop a UART root shell quickly and then explore the underlying Linux system.
🛠️ Stuff I Use 🛠️
🪛 Tools:
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4aaCOGt
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #reverseengineering #firmware - วิทยาศาสตร์และเทคโนโลยี
NOTE: Audio is terrible. It was recorded using the wrong mic the entire time.
Still a great vid. Going to try to find some vulns in one of my routers now.
Wake up. New Matt Brown video. Off work. Its gonna be a good day
That was kind of a dream result!
I actually have this Netgear router, i can’t think of anything I would want to modify in the fw right now but its good to know I have the option
Amazing Video Matt, Keep it up and thank you for sharing your knowledge and experience with the community
Thanks for making these videos. Very informative.
Great one Matt love your hardware reversing vids! I like how you leave nothing abstracted. Hope to see you at DEFCON!
I wish I could be at Defcon this year but I won't be able to make it due to some personal reasons. (Very positive ones 😊)
@@mattbrwn well I appreciate your material so much Matt!
You might want to try those DC barrel connectors with screw terminals on the other end. It is commonly used on analog security cameras.
That would have been better, but sometimes perfect is the enemy of forward progress.
@@mattbrwn true
A device firmware have a lot in common with a docker container. The ro OS is the container, the rw filesystem is the docker volume, and the nvram is the docker environment. (.env)
interesting
Matt is really coming back.
Get yourself a number of 4-6mm barrel jacks with some terminal caps on the wired end that you can either gator clip or screw into a bench supply. Way way easier than having to solder onto the board. I work on a bunch of home routers to recycle/refurb them with OpenWRT, DD-WRT, etc. It's pretty easy to keep a handful of barrel jack bench supply adapters around for your exact use. :D
Cool. Nice man cave as well
I want you to make a video about modifying the firmware in the embedded system. Because during my case I have /bin/psh which is a protected shell for the uart. The only way to get around this is modifying the firmware and assigning /bin/sh for it. When I try to do it, LZMA compression turns out to be a big pain. So looking forward for those videos. Btw this video is good overall.
Oh yeah I've ran into systems with those annoying limited shells. It feels like you are so close and yet so far from your goal at the same time.
@@mattbrwn yes exactly.
Very cool
Great content!
Hay matt what WM are using for your OS, looks really clean and easy on the resources. Love the videos ❤
using i3wm with i3gaps
Great video!!!. I just want to know which linux you are using and which window manager it is and it's theme? Thank you.
Arch Linux with i3wm
I really want to see how you will find somebug on IoT device from the beginning (dump firmware, Reverse,...). Love your contents
I think that full arc should be possible on this device.
@@mattbrwn thats awesome man,
Hey Matt.
Have you ever done any console hacking?
For example the good old PS3 metldr2 would be a nice challenge. A very, very hard one tho.
Hackers unfortunately turned away from the PS3 a long time ago, so someone skilled is needed to nail it down for good...
No I haven't and unfortunately I gave away my PS3 a few years ago
Matt I noticed wlanconfigd process @27:30 Dare say they leave the UART open for debugging purposes from the factory to load the firmware?
To mitigate this don't some more secure IoT devices blow an efuse to prevent physical access to the firmware? I have a few quite expensive STM32 devices, but I feel I need the STLink firmware tool to have a crack for a n00b like myself.
So the STM32 is a microcontroller which has internal flash. Most/all Linux embedded devices use external flash that is seperate from the CPU. This is why firmware extraction on a microcontroller is harder.
Phyisical access means 'all bets are off' ie; it's your router, you own it and there's not much point in them bothering to try and lock out UART(If your not microsoft or apple, it's prolly a waste of money for them). Interesting that it uses bitdefender and OpenVPN etc.. Scary how many ports they have open omg...
Great video bro .. very useful and informative video....bro please improve your videos voice quality
Hey Matt, did you ever finish off the Arlo videos? I watched one yesterday and was pumped for the next one after you said what you were going to do in the next one.......then there is no next one? 😭 you always seem to stop a series right when I need it most, like firmware modification or reverse engineering, noooooo!
I've been doing this stuff for a while so would be awesome to see your approach to more challenging stuff. You should show us something like a device that has encrypted firmware, or something where binwalk gives you no results and you have to figure it out, or extracting the firmware is much harder because the flash has protections in place you need to change, or show us modifying some firmware to bypass something and re-flashing the device etc.
Also, please keep showing the raw footage, not edited, the little struggles along the way are the most useful to see! Or you might mention extra things that are super helpful 👍
I bricked the Arlo device which ended that video series unfortunately. I am trying to do more long form videos where you see the whole process 😁
@@mattbrwn Ahh damn! We've all been there haha, keep them coming 🦾
@mattbrwn what is the make/model of your microscope? Maybe list the tech you use in the description. I am a newb. Thanks
AmScope SM-4NTP 7X-45X
I have a pair of R8000's I flashed to DD-WRT for the extra features and especially better security over negears trash firmware. I recently changed out my gateway to a 4x10G/5x2.5G NIC - 8 core Qotom box running an open source firewall - I keep those R8000's around when I need a quick, portable 1G network preconfigured I can take with me on the road (in a car, not a plane).
@mattbrwn Do you have any experience with Sonicwall devices? I've got uart on a sonicwave 231c that I retrieved from ewaste and would like to dig in on it. I have two, one is factory reset and the other is still sitting while I poke at the open one.
No experience with that stuff no. Would love to see any progress you make!
If you have access to a gen2 unifi switch, please do a video on that devices. Unifi removed the switch console port, so any information on how to access the console will be useful (firmware recovery)
Excelente trabajo.
Hello Matt. Really like your channel. Could you suggest resources and hardware for a noob like me? I have a lot of experience with raspberry pi's and basic electronics, but would like to learn hardware hacking as well. Thank you in advance.
Do you have a specific thing that you want to learn? Hardware hacking is a wide category that includes a bunch of stuff. But generally I always have fun grabbing a device from ewaste or a thrift store and learning as much as I can about that target device.
@@mattbrwn Thank you very much for taking the time to respond to my questions. I’m looking for the basics: Essential hardware needed (UART readers, etc.), Essential Software to interact with the target item, and Essential reference material to be able to learn how to interact with the target item. Also, simple projects that a noob would be able to work on. I have Raspberry Pi’s and Raspberry Pi Pico’s (with pico probe). Would I be able to use those to interact with the items?
with those four pins exposed like that could you still have gotten the root shell without soldering the extra wires and just used that usb cable and the power supply?
It would drive me crazy getting constantly interrupted by the ping and the other commands outputs, especially if you have to enumerate for hours. Would it be possible to start an ssh server and connect that way to get a proper shell/environment?
Yep most openwrt devices will have the dropbear ssh server you can start. I definitely setup ssh when doing longer looks at a device like this because of the annoying console output you mentioned.
Hi can you hack some Weather Windstations serial? 😀 The Tempest Weatherflow
Can you do a cable modem or even a cable set top box would be interesting to see whats inside 🎉
th-cam.com/video/yI7LdGyXsns/w-d-xo.html
@mattbrwn ohhh didn't even see that am of to watch it
any Anemometer would be 🙏👍👍
10:00 shorten those ends before it shorts to the board somewhere.
OpenVPN => Router acts as server, client key/cert are for devices to connect to it
Yeah that makes sense now that I think about it. Wouldn't have the server key sitting their otherwise...
Hey @Matt , I am trying to remotely monitor my home network. How would you do this?
Currently, I'm looking to use my esp32. Do you know the best method? Or I have a Nexus 7 running nethunter. Ideally, I'd have a battery bank for power, monitoring over WiFi. Any resources or help is appreciated 😊
When you say you want to monitor your network what specifically do you want to monitor for?
@mattbrwn internet traffic, and any unauthorized access. I think someone is using my credentials to access my stuff. But 2fa sometimes doesn't work even for me. Whatever you think could help.
I want to monitor web traffic. I think someone is using my creds to log on and snoop. So that level of monitoring is what I'm seeking 😅 my iPad and pc are left there, so if they are being accessed w/o permission and then snooping is what I assume is happening.
P.s. if I just change password I won't catch the culprit.
@@Gertbfrobe407You can do a simple wireshark or go full SIEM mode. The book Cybersecurity for Small Networks fits your need perfectly.
is it possible to compile a custom version of openwrt for this ?
Yep I bet openwrt/ddwrt already supports this device 😀
One question.. why not make life easier and have a couple barrel plugs with pre soldered wires and just hook them up with clips instead of soldering onto the connector
Sure. But I'm working with what I have. It doesn't have to be perfect. We are engineers not scientists 🙂
tin the wires first, and keep your poor tip clean...
also, apply solder to the work, not the iron.
AND FLUX
first
Second
Hack a Roku