search

pr0v3rbs / FirmAE

Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis
MIT License
642 stars 119 forks source link

general questions #14

Closed booknerdbn closed 3 years ago

booknerdbn commented 3 years ago

I have been looking at your FirmAE program, for IOT devices. its really great! I have installed it on a ubuntu and everything seem to work! Thanks for these perfect piece of software!

I only have some questions. These might seem very stupid, and im sorry for that but im new to this industry, so still learning!

I have run the example dlink router driver. but it wasnt completely clear to my if you can also manually test for xxs or command injection, or this is only possible automatically with the -a command?

if i execute the -a command, "sudo ./run.sh -a " the webserver is accessible on 192.168.0.1, but it also starts doing alot of automated tests, like the nmap scan etc

is it also possible to just do a complete dynamic emulation? and test manually without starting all the automated tests? because when i start emulation with "sudo ./run.sh -c " it works but i cant access anything on 192.168.0.1, but maybe im doing something wrong?

ubuntu@ubuntu:~/FirmAE$ sudo ./run.sh -c dlink DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip [*] DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip emulation start!!!

thank you in advance for your reply, and thank you for this great piece of software!

pr0v3rbs commented 3 years ago

Thank you for your good question!

run.sh script has run mode (-r option) which is just run the emulated firmware. After the wait a moment you can see the emulation connectivity test log as below.

ubuntu64 ~/Desktop/FirmAE master* $ sudo ./run.sh -r dlink DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip
[*] DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip emulation start!!!
[*] extract done!!!
[*] get architecture done!!!
[*] DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip already succeed emulation!!!

[IID] 1735
[MODE] run
[+] Network reachable on 192.168.0.1!
[+] Web service on 192.168.0.1
Creating TAP device tap1735_0...
Set 'tap1735_0' persistent and owned by uid 0
Initializing VLAN...
Bringing up TAP device...
Starting emulation of firmware... 192.168.0.1 true true 17.382841434 46.457400827

After this, you can access the web service of the target firmware through 192.168.0.1, and also can perform custom penetration testing.

Moreover, run.sh script also has debug mode (-d option) which can help to connect to the emulated firmware.

I added a description for run mode, thank you!