IoT Hacking - Netgear AC1750 NightHawk - UART Root Shell
HTML-код
- Опубликовано: 21 апр 2024
- ** NOTE: Audio is terrible. It was recorded using the wrong mic the entire time. **
In this video we show my initial look at the Netgear AC1750 NightHawk device where I drop a UART root shell quickly and then explore the underlying Linux system.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #reverseengineering #firmware 
Наука
NOTE: Audio is terrible. It was recorded using the wrong mic the entire time.
Still a great vid. Going to try to find some vulns in one of my routers now.
No problem
Still great! Thanks and keep it up.
Wake up. New Matt Brown video. Off work. Its gonna be a good day
Matt who? This is Jim Carrey.
Get yourself a number of 4-6mm barrel jacks with some terminal caps on the wired end that you can either gator clip or screw into a bench supply. Way way easier than having to solder onto the board. I work on a bunch of home routers to recycle/refurb them with OpenWRT, DD-WRT, etc. It's pretty easy to keep a handful of barrel jack bench supply adapters around for your exact use. :D
I just made a barrel to alligator clips before I saw this lol
That was kind of a dream result!
I actually have this Netgear router, i can’t think of anything I would want to modify in the fw right now but its good to know I have the option
Amazing Video Matt, Keep it up and thank you for sharing your knowledge and experience with the community
You might want to try those DC barrel connectors with screw terminals on the other end. It is commonly used on analog security cameras.
That would have been better, but sometimes perfect is the enemy of forward progress.
@@mattbrwn true
Thanks for making these videos. Very informative.
Just stumbled upon your channel, so glad I did this stuff is mad interesting 🤙🏽
I love this stuff man thank you!
Matt is really coming back.
Where did you learn this ? This is so cool, combined with my interest in openwrt and routers this video is extremely interesting.
There used to be another guy doing reverse engineering and software shananigans with routers, his channel name was Make Me hack, I think you might find his content great for inspiration .
Keep the videos coming, your channel has the old youtube vibe, and you clearly know your stuff!
loved that guys videos but he hasn't posted in awhile :(
Great one Matt love your hardware reversing vids! I like how you leave nothing abstracted. Hope to see you at DEFCON!
I wish I could be at Defcon this year but I won't be able to make it due to some personal reasons. (Very positive ones 😊)
@@mattbrwn well I appreciate your material so much Matt!
Great content!
40:00 (ish): netstat is probably taking a long time because it's trying to do reverse DNS lookups on the IP addresses it's encountering. Try adding a "-n" flag on it next time to avoid this behavior. This same behavior applies to a lot of other common shell utilities such as ping, traceroute, tcpdump, etc.
Edit: BTW, I've just discovered your channel and am enjoying your videos immensely. I work in security engineering, and I've always been interested in embedded hardware hacking.
In situations like this I would recommend soldering the ground to one of the metal shields as their a little easier to attach a wire to.
I want you to make a video about modifying the firmware in the embedded system. Because during my case I have /bin/psh which is a protected shell for the uart. The only way to get around this is modifying the firmware and assigning /bin/sh for it. When I try to do it, LZMA compression turns out to be a big pain. So looking forward for those videos. Btw this video is good overall.
Oh yeah I've ran into systems with those annoying limited shells. It feels like you are so close and yet so far from your goal at the same time.
@@mattbrwn yes exactly.
A device firmware have a lot in common with a docker container. The ro OS is the container, the rw filesystem is the docker volume, and the nvram is the docker environment. (.env)
interesting
That face when he found the same router as yours in e-waste...😔
Hay matt what WM are using for your OS, looks really clean and easy on the resources. Love the videos ❤
using i3wm with i3gaps
Matt, is there a hardware version for this router?
Very cool
Is all your heat getting sucked into that return vent
Great video!!!. I just want to know which linux you are using and which window manager it is and it's theme? Thank you.
Arch Linux with i3wm
Just 400 likes? This deserves 400k. Come on netizens, come on yt algo, give him what he deserves. Btw have a subscribe.
To be honest, I think its better that way that debug port is clearly marked as such and if you plug into it, the device dosent give you any trouble to get to root. Afterall its your device it does mean to "own" to get the lovely root shell.
@mattbrwn Do you have any experience with Sonicwall devices? I've got uart on a sonicwave 231c that I retrieved from ewaste and would like to dig in on it. I have two, one is factory reset and the other is still sitting while I poke at the open one.
No experience with that stuff no. Would love to see any progress you make!
with those four pins exposed like that could you still have gotten the root shell without soldering the extra wires and just used that usb cable and the power supply?
Hey Matt, I’ve been interested in iot security and was trying to follow along with my netgear ac1900 c7000v2, I’m able to get a terminal but the party ends as it gets stuck at the console handover boot -> real, my assumption is because of the baudrate? Would you happen to have any experience with this router?
They might have UART disabled after the bootloader on that model. hop into our discord and post some screenshots + terminal output for some more detailed help.
Matt I noticed wlanconfigd process @27:30 Dare say they leave the UART open for debugging purposes from the factory to load the firmware?
To mitigate this don't some more secure IoT devices blow an efuse to prevent physical access to the firmware? I have a few quite expensive STM32 devices, but I feel I need the STLink firmware tool to have a crack for a n00b like myself.
So the STM32 is a microcontroller which has internal flash. Most/all Linux embedded devices use external flash that is seperate from the CPU. This is why firmware extraction on a microcontroller is harder.
Phyisical access means 'all bets are off' ie; it's your router, you own it and there's not much point in them bothering to try and lock out UART(If your not microsoft or apple, it's prolly a waste of money for them). Interesting that it uses bitdefender and OpenVPN etc.. Scary how many ports they have open omg...
I really want to see how you will find somebug on IoT device from the beginning (dump firmware, Reverse,...). Love your contents
I think that full arc should be possible on this device.
@@mattbrwn thats awesome man,
@mattbrwn what is the make/model of your microscope? Maybe list the tech you use in the description. I am a newb. Thanks
AmScope SM-4NTP 7X-45X
I have a pair of R8000's I flashed to DD-WRT for the extra features and especially better security over negears trash firmware. I recently changed out my gateway to a 4x10G/5x2.5G NIC - 8 core Qotom box running an open source firewall - I keep those R8000's around when I need a quick, portable 1G network preconfigured I can take with me on the road (in a car, not a plane).
You should get your self an assortment of barrel Jack sizes and put connectors on them for your psu.
Excelente trabajo.
Hey Matt.
Have you ever done any console hacking?
For example the good old PS3 metldr2 would be a nice challenge. A very, very hard one tho.
Hackers unfortunately turned away from the PS3 a long time ago, so someone skilled is needed to nail it down for good...
No I haven't and unfortunately I gave away my PS3 a few years ago
21:25 - This is most likely TFTP, most routers have this functionality, and you can flash firmware with this protocol, commonly used to load custom firmware like OpenWRT, DD-WRT, etc.
netstat needs "-n" to quit trying to do reverse-dns lookups on every IP (which is why it's slow when there is no accessible DNS server)
also netstat is officially deprecated, 'ss -nlp' is the new command, although some busyboxen may not have that at all
Hey Matt, did you ever finish off the Arlo videos? I watched one yesterday and was pumped for the next one after you said what you were going to do in the next one.......then there is no next one? 😭 you always seem to stop a series right when I need it most, like firmware modification or reverse engineering, noooooo!
I've been doing this stuff for a while so would be awesome to see your approach to more challenging stuff. You should show us something like a device that has encrypted firmware, or something where binwalk gives you no results and you have to figure it out, or extracting the firmware is much harder because the flash has protections in place you need to change, or show us modifying some firmware to bypass something and re-flashing the device etc.
Also, please keep showing the raw footage, not edited, the little struggles along the way are the most useful to see! Or you might mention extra things that are super helpful 👍
I bricked the Arlo device which ended that video series unfortunately. I am trying to do more long form videos where you see the whole process 😁
@@mattbrwn Ahh damn! We've all been there haha, keep them coming 🦾
is it possible to compile a custom version of openwrt for this ?
Yep I bet openwrt/ddwrt already supports this device 😀
@@mattbrwnIndeed they do, I have one with dd-wrt 🔥
try netstat with -p ( helps to see the process tied to the port) Not uncommon for developers to use non standard ports.
If you have access to a gen2 unifi switch, please do a video on that devices. Unifi removed the switch console port, so any information on how to access the console will be useful (firmware recovery)
It would drive me crazy getting constantly interrupted by the ping and the other commands outputs, especially if you have to enumerate for hours. Would it be possible to start an ssh server and connect that way to get a proper shell/environment?
Yep most openwrt devices will have the dropbear ssh server you can start. I definitely setup ssh when doing longer looks at a device like this because of the annoying console output you mentioned.
Hello Matt. Really like your channel. Could you suggest resources and hardware for a noob like me? I have a lot of experience with raspberry pi's and basic electronics, but would like to learn hardware hacking as well. Thank you in advance.
Do you have a specific thing that you want to learn? Hardware hacking is a wide category that includes a bunch of stuff. But generally I always have fun grabbing a device from ewaste or a thrift store and learning as much as I can about that target device.
@@mattbrwn Thank you very much for taking the time to respond to my questions. I’m looking for the basics: Essential hardware needed (UART readers, etc.), Essential Software to interact with the target item, and Essential reference material to be able to learn how to interact with the target item. Also, simple projects that a noob would be able to work on. I have Raspberry Pi’s and Raspberry Pi Pico’s (with pico probe). Would I be able to use those to interact with the items?
@@mattbrwn Wow.... Thanks for your non-help with resources.
Hey Matt, where would I get a hold of you? I have a Wi-Fi pineapple I want to donate to you. I don't know. Wat you could do that??👍 Thank you for all your expertise.
There's an app and you can also enable auto updates on netgear devices now.
Smart TV?
Hi can you hack some Weather Windstations serial? 😀 The Tempest Weatherflow
Great video bro .. very useful and informative video....bro please improve your videos voice quality
Bitdefender in an anti virus software, did not expect to see it in there
Can you do a cable modem or even a cable set top box would be interesting to see whats inside 🎉
ruclips.net/video/yI7LdGyXsns/видео.html
@mattbrwn ohhh didn't even see that am of to watch it
Hey @Matt , I am trying to remotely monitor my home network. How would you do this?
Currently, I'm looking to use my esp32. Do you know the best method? Or I have a Nexus 7 running nethunter. Ideally, I'd have a battery bank for power, monitoring over WiFi. Any resources or help is appreciated 😊
When you say you want to monitor your network what specifically do you want to monitor for?
@mattbrwn internet traffic, and any unauthorized access. I think someone is using my credentials to access my stuff. But 2fa sometimes doesn't work even for me. Whatever you think could help.
I want to monitor web traffic. I think someone is using my creds to log on and snoop. So that level of monitoring is what I'm seeking 😅 my iPad and pc are left there, so if they are being accessed w/o permission and then snooping is what I assume is happening.
P.s. if I just change password I won't catch the culprit.
@@Gertbfrobe407You can do a simple wireshark or go full SIEM mode. The book Cybersecurity for Small Networks fits your need perfectly.
Cool. Nice man cave as well
bro do u sell those devices or accept any from users b/c i have a box of old devices i could send you to tinker with
I'm working on a solution where ppl can send me stuff. stay tuned.
who's Jeannine? Couldn't help myself and pause the video in the section that was blurred lol
any Anemometer would be 🙏👍👍
tin the wires first, and keep your poor tip clean...
also, apply solder to the work, not the iron.
AND FLUX
10:00 shorten those ends before it shorts to the board somewhere.
OpenVPN => Router acts as server, client key/cert are for devices to connect to it
Yeah that makes sense now that I think about it. Wouldn't have the server key sitting their otherwise...
One question.. why not make life easier and have a couple barrel plugs with pre soldered wires and just hook them up with clips instead of soldering onto the connector
Sure. But I'm working with what I have. It doesn't have to be perfect. We are engineers not scientists 🙂
I would have just tried a 12V adapter at a lower amp rating. If it didn't work, you could also cut the barrel plug (with some cord) off the adapter with too low a current rating. The soldering while perfectly doable, seems like a lot more work. That said, I'm lacking in gaining root shell access on devices I'm playing with, hence my presence here.
if it can run a aftermarket firmware like dd-wrt or tomato all these types of routers are easy to hack.
Vol on 69%
first
Any other 12v adapter would have worked fine, no need for it to be 2.5 exact. 12 mins start of video was a waste
And when you don't have it then? Bro is watching free video and complaining,
vgtr bell
vegertable
Second
Hack a Roku
that router is beast. you can use merlin firmware.
I was able to do this and you do not need 'nvram show', just run 'routerinfo'
nvm, just shows defaults