A short introduction to binwalk

binwalk.md

Binwalk

Binwalk is a simple linux tool for analysing binary files for embeded files and executable code. It is mostly used to extract the content of firmware images.

Installation

On kali linux, binwalk is already installed. On ubuntu you can do apt-get install binwalk or you can go to https://github.com/devttys0/binwalk and follow the instructions.

Usage

The first thing to do when you interact with a new linux tool is to read it's manual pages, this is done by issuing the command man binwalk. The manual pages offers an overview of the commands supported by binwalk.

binwalk.jpg

Issuing binwalk 'filename.bin' results in binwalk showing the contents of the binary files, and the offset at which the file begins in hexadecimal and decimal. THe offset is useful if you want to extract the contents of the file with a toll like dd.

Binwalk can also automatically extract all the files it finds within the firmware image, this is possible with the -e switch. Binwalk can also search for string in the binary files with the -S option. The -M matryoshka option instructs binwalk to recursively scan extracted files, the matroshka is a reference to Russian dolls that have other dolls inside them.

matroshka.jpg

Conclusion

binwalk is a important tool for a forensic analyst. Coupled with other tools it can be a invaluable tool in an investigation.

(I was right about my point being totally moot)

> The original and second version of Binwalk are largely unmaintained.

Binwalk v3 is currently under active development.
While still experimental, we recommend trying it out; issues/bug reports welcome! :)
Build Status Maintenance GitHub license GitHub stars

Binwalk3 is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.

*** Extraction Security Notice ***
Prior to Binwalk v2.3.3, extracted archives could create symlinks which point anywhere on the file system, potentially resulting in a directory traversal attack if subsequent extraction utilties blindly follow these symlinks. More generically, Binwalk makes use of many third-party extraction utilties which may have unpatched security issues; Binwalk v2.3.3 and later allows external extraction tools to be run as an unprivileged user using the run-as command line option (this requires Binwalk itself to be run with root privileges). Additionally, Binwalk v2.3.3 and later will refuse to perform extraction as root unless --run-as=root is specified.

*** Python 2.7 Deprecation Notice ***
Even though many major Linux distros are still shipping Python 2.7 as the default interpreter in their currently stable release, we are making the difficult decision to move binwalk support exclusively to Python 3. This is likely to make many upset and others rejoice. If you need to install binwalk into a Python 2.7 environment we will be creating a tag python27 that will be a snapshot of master before all of these major changes are made. Thank you for being patient with us through this transition process.

More information on Wiki

Binwalk Professional Edition

After years of developing and supporting binwalk as an open source project we have finally sold out to the man and released a cloud-based firmware extraction engine called Binwalk Enterprise. After all someone needs to pay devttys0 so he can buy more milling equipment and feed his children (in that order). Please consider subscribing and reap the benefits of getting actual customer support for all your firmware extraction and analysis needs. Please visit https://www.refirmlabs.com/binwalk-enterprise/ for more information.