Taking a Basic Walk in a Binary: Exploring Binwalk
Analyzing and extracting firmware from embedded devices can be a fun and interesting process with many applications. The process can be used for security research, exploit development, and other various applications.
Binwalk is a tool for analyzing and extracting firmware images. It is commonly used by security researchers and digital forensics experts to analyze the contents of embedded devices and extract hidden files, firmware components, and other hidden data. Binwalk can be found by default on Kali Linux and can be found on GitHub.
Binwalk uses a signature-based approach to identify file formats within firmware images. It scans the image and compares the contents to a database of known signatures to identify specific file types. This allows Binwalk to identify and extract files even if they have been compressed, encrypted, or otherwise obfuscated.
One of the key features of Binwalk is its ability to recursively scan firmware images and extract multiple levels of data. For example, if an image contains a compressed file, Binwalk can extract the compressed file and then scan the contents to identify any further embedded files. This makes Binwalk a powerful tool for uncovering hidden data and information within firmware images.
In addition to its signature-based scanning and extraction capabilities, Binwalk also includes several other features that make it a useful tool for firmware analysis. These features include the ability to display and manipulate file metadata, carve data from raw image files, and generate entropy plots to help identify encrypted or compressed data.
Looking at some examples from firmware found on the internet we can do some interesting things.
Example: Firmware for the Linksys EA2700 Router
Figure 1: running binwalk on the EA2700 firmware, we see the binary is gzip compressed, using little endian, and is using Squash as its file system.
Figure 2: entropy, specifically compressed or encrypted data in the binary.
Figure 3: Entropy graph generated by binwalk
Figure 4: using extract flag used to extract known file systems and kernel information from the binary.
Figure 5: extracted firmware directory
Figure 6: running binwalk on ‘piggy’; likely the kernel. This file shows the kernel version being 2.6.22.
Figure 7: squashfs directory listing all the directories of the EA2700 firmware.
Figure 8: the /bin directory of the EA 2700 firmware.
Figure 9: /www directory and files of the EA 2700 firmware.
Figure 10: A quick map and sampling from Shodan of Linksys EA 2700 devices on the internet.
Overall, Binwalk is a powerful and versatile tool that is widely used in the firmware analysis and digital forensics communities. Whether you are a security researcher, digital forensics expert, or just interested in understanding the contents of firmware images, Binwalk is a tool worth checking out.