0x4243

Reversing Raw Binary Firmware Files in Ghidra

This brief tutorial will show you how to go about analyzing a raw binary firmware image in Ghidra.

Prep work in Binwalk

I was recently interested in reversing some older Cisco IOS images. Those images come in the form of a single binary blob, without any sort of ELF, Mach-o, or PE header to describe the binary.

While I am using Cisco IOS Images in this example, the same process should apply to other Raw Binary Firmware Images.

Low Hanging Hacker Fruit

This gist focuses on (relatively) free and (relatively) easy things organizations can do to better protect their networks without buying yet another black box with blinking lights.

Got some ideas of your own that should be on this list? Please leave a comment below!

Implementing a stronger AD password policy

Microsoft has a great paper on the topic that gives some nice high level recommendations:

Use a unique password per site
Enable complexity

	param(
	[Parameter(Mandatory)]
	[string]$Path
	)

	#Created by [email protected]
	#
	#Got keytab structure from http://www.ioplex.com/utilities/keytab.txt
	#
	# keytab {

	{
	"queries": [{
	"name": "List all owned users",
	"queryList": [{
	"final": true,
	"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
	}]
	},
	{
	"name": "List all owned computers",

	::##########################################################################################################################
	::
	:: This script can ruin your day, if you run it without fully understanding what it does, you don't know what you are doing,
	::
	:: OR BOTH!!!
	::
	:: YOU HAVE BEEN WARNED!!!!!!!!!!
	::
	:: This script is provided "AS IS" with no warranties, and confers no rights.
	:: Feel free to challenge me, disagree with me, or tell me I'm completely nuts in the comments section,

	After a little more research, 'In Memory' notion was a little exaggerated (hence the quotes). However, we'll call it 'In Memory Inspired' ;-)

	These examples are PowerShell alternatives to MSBuild.exe/CSC.exe for building (and launching) C# programs.

	Basic gist after running PS script statements:

	- Loads C# project from file or web URL
	- Create various tmp files
	- Compile with csc.exe [e.g. "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\subadmin\AppData\Local\Temp\lz2er5kc.cmdline"]
	- Comvert to COFF [e.g. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\subadmin\AppData\Local\Temp\RES11D5.tmp" "c:\Users\subadmin\AppData\Local\Temp\CSCDECDA670512E403CA28C9512DAE1AB3.TMP"]

	"C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe" "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }


	NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }


	Hashes of each binary (prepare for onslaught of md5 naysayers):
	Notes.exe — 8f633ef1e1147637c25dd917909cd361
	NLNOTES.EXE — 3586b9069a1d4e1c63d9c9cf95cf4126

	# Get-SystemDriver requires the ConfigCI module on Win10 Enterprise
	# This will collect all signer information for all PEs in C:\
	# This will take a while!!!
	$Signers = Get-SystemDriver -ScanPath C:\ -UserPEs

	# Associate the subject name of each certificate to the file/signer info
	# so we can correlate the two.
	$CertSubjectMapping = $Signers \| % {
	$Signer = $_