Router firmware modification and backdooring
Vložit
- čas přidán 29. 08. 2024
- In this video, I will demonstrate how to modify router firmware with router modification toolkit and put a basic msfvenom bind shell backdoor inside of it.
Please note that if you do anything wrong you may end up bricking the router.
firmware-mod-kit: github.com/ram...
About me: I am Chirag Jariwala (@CJHackerz)
I am independent cybersecurity analyst and researcher and have been self-learner in this space quite for a while.
GitHub: github.com/CJH...
Twitter: / cjhackerz
LinkedIn: / cjhackerz
Our Facebook page: / sector443
I am still amazed how people watch this video and subscribe to my channel, with hope one day I will produce content. That's freaking amazing. Whoever who did you are awesome and I can't be less thankful. Time flies it been like ages ago I published this video, lot of stuff happened in my life from now on instead of having regret of not sharing knowledge I am going to take small steps in to the direction. As first I am removing Mr. Robot sound track since I realized "why I am letting someone else get money out of my content, where myself is not even eligible for YPR (CZcams Partner Program). Like that slowly I will make changes to channel as I find time.
Again thanks for your attention, have a nice day!
Question: what's the point from backdooring a router if it's not gonna give you a reverse or bund shell to an external ip
@@younesmessaoudi1440 you can still get remote reverse shell on static IP, easy way is to use Kali Linux on free tier ec2 instance. That's how all botnets works. They Infact certain vulnerability and to maintain persistence they connect over remote server on cloud or dedicated one under control of attacker, which has static IP. In this video just for demo I gone with bind shell.
Eu estava a procura de conhecimento para modificar os roteadores, tipo predefinir uma senha ou nome do Wi-Fi após reset
how are you bro? can you make more videos please?
Still active??
You are crazy dude actually it felt like elliot on his terminal taking down ecorp lol wish I had enough time and passion to be like you
Real life elliot, hopes he start posting again
Subscribed , plz upload more on reversing firmware , and IOT stuff .
Damn, you really know your shit. Subbed! Here for future videos!
Thanks :D
sure I will start uploading soon....
Respekt good Video 👍👍
Subscribed from CS Army! :D
You are awesome....
Please return back with new videos...
I wish I could do CZcams, but to show attacks in IoT Security further I need hardware which can cost me thousands of USD. And I don't have enough money to purchase recording gear as well. But if time permits I do have plans of covering various topics on ARM revsere engineering stuff. Good to see there are still people out there having intrest into my content, and I am extremely sorry for not delivering stuff.
@@cjhackerz You can think about some other stuff realted to hacking which will be affordable to you...
Nice
Awesome
Cool
its nice if u inject beef script inside index of router lol
I might be able to give me a course on firwmare router ... and changed some firwamre with jtag directly to the PCB.
and wanted to play with firwmare..health of mexico
when i modify my Dlink Firmware and then return flashing in the router i get error image CRC failed how i can pybass this fanction and keep flashing right with out any error please help me
Second sub~ Really interesting.
Hi please help me . after i build firmware i got an error : Firmware header not supported; firmware checksums may be incorrect.
Hey, when you used the command dd you should of set the block size bs to 1 and set skip to the place of the squashfs location just swapped them that why some get errors trying to unsquashfs after
How about (unlzma kernel.lzma)=data corrupt.. how i can fix this??
its better to use binwalk -e [name of the firmware file], than use dd
is this possible with .fskernal (zyxel modem) file update ? it has jffs2 and ubifs files in it
So backdooring firmware is a post exploitation technique? After you get admin access, to gain persistence?
Yes true it's post exploitation
@@cjhackerz cool also one last question. Can we just unpack and repack every firmware with this tool?
Wow.. amazing.. can't edit this file on windows 7???
Commands only works for linux operating system. If u are interested to be IoT security I would recommend you to start learning kali linux, there plenty of CZcams channels teaching u that check out HackerSploit, TheCyberMentor.
What if I don't have firmware download able? Is there's any chance that I can get it from the router?
Yes from either JTAG or flash memory you can either desolider flash chip and read it or hook up 8-pin SOIC adapter
www.sparkfun.com/products/13153 which than you can wire it over SPI supported board to read data, raspberry pi for example. It has GPIO pins for SPI to read and write data.
@@cjhackerzhey is there's any chance that I can get your contact please? I got a project and I'm working on it I just want to ask some questions so I could study it more and try to break it
the second command you used "dd" how can i get it on my system?
dd (data duplicator) is available on all linux distribution by default
@CJHackerz is it possible to change the default username and password in the firmware itself, so that even if the router is reset the username and password does not change, ever
Yeah if you know what configuration responsible for credentials you can change them and upload modified firmware to router. The video itself is all about firmware modification my example is putting backdoor, in your case you can change the username and password in configuration file of network service (telnet etc.) But yeah after reset if you are using vendor provided firmware it will use the default username and password.
hey, man nice content one thing I really looking for a way of unlocking or debranding my rooter Smile 4G model: SM-LT200+ IMEI: 863081034379350, but the thing is it needs a 16byt pin not normal one 12 code for unlocking. What I know from my small knowledge is that they just full customize it and made to support one sim card and I even manage to get the chance of put those "unlock code" after tweaking the HTML coz they just hide it to not show off. Can U help me with that? hope u are not confused there.
I am also interested in the solution to your problem
really !!!!!!
what if he resets the router what happens and where did the checksum before accepting the upgrade go ??
Good question...
Backdoor is placed under /usr/bin folder where other core system binaries reside so when reset happens changes only applies to configuration files (which contains your router settings such as WiFi password, SSID, dhcp table, internet connection settings etc), not to core system programs or file system. Network routers don't perform checksum since the hash of the .bin file with each update doesn't remain same.
@@cjhackerz hi thanks for the detailed reply. ..
can you a video about huawei router and decrypting it's config ... cause when i extracted the firmware files i didn't find any html files at all !
Here is the tutorial
hg658c.wordpress.com/2017/12/04/decrypting-configuration-files-from-other-huawei-home-gateway-routers/
CJHackerz
Hey bro...good job btw.
My router got hacked couple days ago. No matter what I did and how many times I reset my router. He got back in again in a sec.
He got in first by PnUp port, I forgot to turn it off. But this guy is consistent, he comes back and back again.
He replaced my original firmware so lot of security settings was removed, plus all the configuration I did never got to the system, only stayed in configuration file. I know the only way is to flash the thing, my router is huawei with Orange internet company in Morocco.
Any tips on how to block this donkey
They only do this when there is a automatic update from the internet it checks the checksum of the downloaded firmware vs it once its installed
Bro Can you Make More simple tutorial for beginners.
Can you tell me how we can change router Mac I'd, serial and model number?
Is it possible to change firmware, if I do so, to a network locked modem?
pudiste?
hii i want customised firmware my router can u help me?
Is there a windows version of the software used int his video?
I have a router i want to unlock it by modifying its frameware, like making it disable sim card checking or add sim card id to the whitelist or accepting any random NCK unlocking code
Pleade help me
I ll pay you
What if we can't access to router's admin panel?
You can exploit existing vulnerability to get shell or find your own RCE zero day :)
Hey brother how can i do this for tenda?? I try folder in the desktop/firmware-mod-kit/src/others/squashfs-3.4- cisco# make -j4.. after this notworking???
root@hattahutapea:~/Desktop/firmware-mod-kit/src/others/squashfs-3.4-cisco# make -j4
make -C squashfs-tools
make[1]: warning: jobserver unavailable: using -j1. Add '+' to parent make rule.
make[1]: Entering directory '/root/Desktop/firmware-mod-kit/src/others/squashfs-3.4-cisco/squashfs-tools'
gcc mksquashfs.o read_fs.o sort.o lzmainterface.o LzmaEnc.o LzFind.o LzmaDec.o -lz -lpthread -lm -lstdc++ -o mksquashfs
/usr/bin/ld: mksquashfs.o: in function `create_inode':
mksquashfs.c:(.text+0x2e03): undefined reference to `major'
/usr/bin/ld: mksquashfs.c:(.text+0x2e10): undefined reference to `minor'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:17: mksquashfs] Error 1
make[1]: Leaving directory '/root/Desktop/firmware-mod-kit/src/others/squashfs-3.4-cisco/squashfs-tools'
make: *** [Makefile:4: all] Error 2
root@hattahutapea:~/Desktop/firmware-mod-kit/src/others/squashfs-3.4-cisco#
Could you reverse engineer a router firmware with the ultimate goal to extract the default WPA key generation algorithm? If yes then take my money.
Not sure about but yeah in the past people have indeed figured out flaws in WPS instead www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/ I am not that skilled yet.
@@cjhackerz thanks. It appears that such a task would require some solid assembly skills.
Can you unlock firmware locked by isp?
hello sir , how edit frimware mifi huawei e5577?
'bs' and 'skip' at the beginning are right this way?!
are you still active brother?
my firmware is .img what to do?
Can any way to extract a firmware from router?
How ubi Extract ?
Can I contact you? I wanna hire for a work.
when i run "usquashfs rootfs.img" i get the following error? any idea what im doing wrong here?
"Can't find a SQUASHFS superblock on rootfs.img"
countless errors when i try it for my netis router
🧁🧁🧁 Sweet 🎂🎂🎂
I want your help sir so how I will contact you?
Hey i have alot of questions can i get ur Discord id or anything please?
Same username on each and every site that exists on Internet
Nice
hey i get a 7z file when I "binwalk -e xx.bin" then i can't unpack that .7z file whats the sorcery?