mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 17:28:13 +00:00
4.3 KiB
4.3 KiB
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Copied from https://scriptingxss.gitbook.io/firmware-security-testing-methodology/
When modifying device start up and bootloaders such as U-boot, attempt the following:
- Attempt to access the bootloaders interpreter shell by pressing "0", space or other identified “magic codes” during boot.
- Modify configurations to execute a shell command such as adding '
init=/bin/sh' at the end of boot arguments#printenv#setenv bootargs=console=ttyS0,115200 mem=63M root=/dev/mtdblock3 mtdparts=sflash:<partitiionInfo> rootfstype=<fstype> hasEeprom=0 5srst=0 init=/bin/sh#saveenv#boot
- Setup a tftp server to load images over the network locally from your workstation. Ensure the device has network access.
#setenv ipaddr 192.168.2.2 #local IP of the device#setenv serverip 192.168.2.1 #tftp server IP#saveenv#reset#ping 192.168.2.1 #check if network access is available#tftp ${loadaddr} uImage-3.6.35 #loadaddr takes two arguments: the address to load the file into and the filename of the image on the TFTP server
- Use
ubootwrite.pyto write the uboot-image and push a modified firmware to gain root - Check for enabled debug features such as:
- verbose logging
- loading arbitrary kernels
- booting from untrusted sources
- *Use caution: Connect one pin to ground, watch device boot up sequence, before the kernel decompresses, short/connect the grounded pin to a data pin (DO) on an SPI flash chip
- *Use caution: Connect one pin to ground, watch device boot up sequence, before the kernel decompresses, short/connect the grounded pin to pins 8 and 9 of the NAND flash chip at the moment U-boot decompresses the UBI image
- *Review the NAND flash chip’s datasheet prior to shorting pins
- Configure a rogue DHCP server with malicious parameters as input for a device to ingest during a PXE boot
- Use Metasploit’s (MSF) DHCP auxiliary server and modify the ‘
FILENAME’ parameter with command injection commands such as‘a";/bin/sh;#’to test input validation for device startup procedures.
- Use Metasploit’s (MSF) DHCP auxiliary server and modify the ‘
*Hardware security testing
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.