IoT Hacking - Netgear AC1750 NightHawk

IoT Hacking - Netgear AC1750 NightHawk - UART Root Shell

20 днів тому

** NOTE: Audio is terrible. It was recorded using the wrong mic the entire time. **
In this video we show my initial look at the Netgear AC1750 NightHawk device where I drop a UART root shell quickly and then explore the underlying Linux system.
🛠️ Stuff I Use 🛠️
🪛 Tools:
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4aaCOGt
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nmatt0/
#hacking #iot #cybersecurity #reverseengineering #firmware

КОМЕНТАРІ: 82

@mattbrwn 19 днів тому

NOTE: Audio is terrible. It was recorded using the wrong mic the entire time.

@Log4Jake 19 днів тому

Still a great vid. Going to try to find some vulns in one of my routers now.

@byronlovesdrifting1 19 днів тому

Wake up. New Matt Brown video. Off work. Its gonna be a good day

@Sircliffe 2 дні тому

Matt who? This is Jim Carrey.

@xDMG15x 19 днів тому

That was kind of a dream result! I actually have this Netgear router, i can’t think of anything I would want to modify in the fw right now but its good to know I have the option

@theskelet4r 19 днів тому

Amazing Video Matt, Keep it up and thank you for sharing your knowledge and experience with the community

@tylersharpe9413 19 днів тому

Thanks for making these videos. Very informative.

@SlinkyStoney 19 днів тому

You might want to try those DC barrel connectors with screw terminals on the other end. It is commonly used on analog security cameras.

@mattbrwn 19 днів тому

That would have been better, but sometimes perfect is the enemy of forward progress.

@SlinkyStoney 19 днів тому

@@mattbrwn true

@pablopoo 18 днів тому

A device firmware have a lot in common with a docker container. The ro OS is the container, the rw filesystem is the docker volume, and the nvram is the docker environment. (.env)

@kakashisharigan336 17 днів тому

interesting

@mytechnotalent 19 днів тому

Great one Matt love your hardware reversing vids! I like how you leave nothing abstracted. Hope to see you at DEFCON!

@mattbrwn 19 днів тому

I wish I could be at Defcon this year but I won't be able to make it due to some personal reasons. (Very positive ones 😊)

@mytechnotalent 19 днів тому

@@mattbrwn well I appreciate your material so much Matt!

@petergaudiomonte1080 2 дні тому

I love this stuff man thank you!

@Skyspace187 5 днів тому

Get yourself a number of 4-6mm barrel jacks with some terminal caps on the wired end that you can either gator clip or screw into a bench supply. Way way easier than having to solder onto the board. I work on a bunch of home routers to recycle/refurb them with OpenWRT, DD-WRT, etc. It's pretty easy to keep a handful of barrel jack bench supply adapters around for your exact use. :D

@edwinking4407 15 днів тому

Matt is really coming back.

@Electrically-Electronic 19 днів тому

I want you to make a video about modifying the firmware in the embedded system. Because during my case I have /bin/psh which is a protected shell for the uart. The only way to get around this is modifying the firmware and assigning /bin/sh for it. When I try to do it, LZMA compression turns out to be a big pain. So looking forward for those videos. Btw this video is good overall.

@mattbrwn 19 днів тому

Oh yeah I've ran into systems with those annoying limited shells. It feels like you are so close and yet so far from your goal at the same time.

@Electrically-Electronic 19 днів тому

@@mattbrwn yes exactly.

@feff6754 18 днів тому

Great content!

@johanbtheman 18 днів тому

Cool. Nice man cave as well

@Falney 6 годин тому

You should get your self an assortment of barrel Jack sizes and put connectors on them for your psu.

@examen1996 День тому

Where did you learn this ? This is so cool, combined with my interest in openwrt and routers this video is extremely interesting. There used to be another guy doing reverse engineering and software shananigans with routers, his channel name was Make Me hack, I think you might find his content great for inspiration . Keep the videos coming, your channel has the old youtube vibe, and you clearly know your stuff!

@mattbrwn День тому

loved that guys videos but he hasn't posted in awhile :(

@StevenHokins 16 днів тому

Very cool

@antonyjose2231 19 днів тому

Hay matt what WM are using for your OS, looks really clean and easy on the resources. Love the videos ❤

@mattbrwn 19 днів тому

using i3wm with i3gaps

@varuntech5690 9 днів тому

Great video!!!. I just want to know which linux you are using and which window manager it is and it's theme? Thank you.

@mattbrwn 9 днів тому

Arch Linux with i3wm

@MattMellen1337 19 днів тому

@mattbrwn Do you have any experience with Sonicwall devices? I've got uart on a sonicwave 231c that I retrieved from ewaste and would like to dig in on it. I have two, one is factory reset and the other is still sitting while I poke at the open one.

@mattbrwn 19 днів тому

No experience with that stuff no. Would love to see any progress you make!

@TradieTrev 19 днів тому

Matt I noticed wlanconfigd process @27:30 Dare say they leave the UART open for debugging purposes from the factory to load the firmware? To mitigate this don't some more secure IoT devices blow an efuse to prevent physical access to the firmware? I have a few quite expensive STM32 devices, but I feel I need the STLink firmware tool to have a crack for a n00b like myself.

@mattbrwn 19 днів тому

So the STM32 is a microcontroller which has internal flash. Most/all Linux embedded devices use external flash that is seperate from the CPU. This is why firmware extraction on a microcontroller is harder.

@MacGuffin1 19 днів тому

Phyisical access means 'all bets are off' ie; it's your router, you own it and there's not much point in them bothering to try and lock out UART(If your not microsoft or apple, it's prolly a waste of money for them). Interesting that it uses bitdefender and OpenVPN etc.. Scary how many ports they have open omg...

@polesouth-ey5qq 17 днів тому

@mattbrwn what is the make/model of your microscope? Maybe list the tech you use in the description. I am a newb. Thanks

@mattbrwn 17 днів тому

AmScope SM-4NTP 7X-45X

@atrocitus777 15 днів тому

with those four pins exposed like that could you still have gotten the root shell without soldering the extra wires and just used that usb cable and the power supply?

@worroSfOretsevraH 4 дні тому

Hey Matt. Have you ever done any console hacking? For example the good old PS3 metldr2 would be a nice challenge. A very, very hard one tho. Hackers unfortunately turned away from the PS3 a long time ago, so someone skilled is needed to nail it down for good...

@mattbrwn 4 дні тому

No I haven't and unfortunately I gave away my PS3 a few years ago

@miguelreed2499 2 дні тому

There's an app and you can also enable auto updates on netgear devices now.

@argentinomacrifuevidaltamb3772 19 днів тому

Excelente trabajo.

@nate4379 День тому

try netstat with -p ( helps to see the process tied to the port) Not uncommon for developers to use non standard ports.

@phxsisko 18 днів тому

I have a pair of R8000's I flashed to DD-WRT for the extra features and especially better security over negears trash firmware. I recently changed out my gateway to a 4x10G/5x2.5G NIC - 8 core Qotom box running an open source firewall - I keep those R8000's around when I need a quick, portable 1G network preconfigured I can take with me on the road (in a car, not a plane).

@dabunnisher29 18 днів тому

Hello Matt. Really like your channel. Could you suggest resources and hardware for a noob like me? I have a lot of experience with raspberry pi's and basic electronics, but would like to learn hardware hacking as well. Thank you in advance.

@mattbrwn 18 днів тому

Do you have a specific thing that you want to learn? Hardware hacking is a wide category that includes a bunch of stuff. But generally I always have fun grabbing a device from ewaste or a thrift store and learning as much as I can about that target device.

@dabunnisher29 18 днів тому

@@mattbrwn Thank you very much for taking the time to respond to my questions. I’m looking for the basics: Essential hardware needed (UART readers, etc.), Essential Software to interact with the target item, and Essential reference material to be able to learn how to interact with the target item. Also, simple projects that a noob would be able to work on. I have Raspberry Pi’s and Raspberry Pi Pico’s (with pico probe). Would I be able to use those to interact with the items?

@pablopoo 18 днів тому

If you have access to a gen2 unifi switch, please do a video on that devices. Unifi removed the switch console port, so any information on how to access the console will be useful (firmware recovery)

@whodaFru4551 19 днів тому

It would drive me crazy getting constantly interrupted by the ping and the other commands outputs, especially if you have to enumerate for hours. Would it be possible to start an ssh server and connect that way to get a proper shell/environment?

@mattbrwn 19 днів тому

Yep most openwrt devices will have the dropbear ssh server you can start. I definitely setup ssh when doing longer looks at a device like this because of the annoying console output you mentioned.

@vergil9397 19 днів тому

I really want to see how you will find somebug on IoT device from the beginning (dump firmware, Reverse,...). Love your contents

@mattbrwn 19 днів тому

I think that full arc should be possible on this device.

@vergil9397 19 днів тому

@@mattbrwn thats awesome man,

@jahwni 19 днів тому

Hey Matt, did you ever finish off the Arlo videos? I watched one yesterday and was pumped for the next one after you said what you were going to do in the next one.......then there is no next one? 😭 you always seem to stop a series right when I need it most, like firmware modification or reverse engineering, noooooo! I've been doing this stuff for a while so would be awesome to see your approach to more challenging stuff. You should show us something like a device that has encrypted firmware, or something where binwalk gives you no results and you have to figure it out, or extracting the firmware is much harder because the flash has protections in place you need to change, or show us modifying some firmware to bypass something and re-flashing the device etc. Also, please keep showing the raw footage, not edited, the little struggles along the way are the most useful to see! Or you might mention extra things that are super helpful 👍

@mattbrwn 18 днів тому

I bricked the Arlo device which ended that video series unfortunately. I am trying to do more long form videos where you see the whole process 😁

@jahwni 18 днів тому

@@mattbrwn Ahh damn! We've all been there haha, keep them coming 🦾

@Gary-ve6ll 19 днів тому

Can you do a cable modem or even a cable set top box would be interesting to see whats inside 🎉

@mattbrwn 19 днів тому

ukposts.info/have/v-deo/sXlogJp-sI6kz6c.html

@Gary-ve6ll 19 днів тому

@mattbrwn ohhh didn't even see that am of to watch it

@Gertbfrobe407 19 днів тому

Hey @Matt , I am trying to remotely monitor my home network. How would you do this? Currently, I'm looking to use my esp32. Do you know the best method? Or I have a Nexus 7 running nethunter. Ideally, I'd have a battery bank for power, monitoring over WiFi. Any resources or help is appreciated 😊

@mattbrwn 19 днів тому

When you say you want to monitor your network what specifically do you want to monitor for?

@Gertbfrobe407 19 днів тому

@mattbrwn internet traffic, and any unauthorized access. I think someone is using my credentials to access my stuff. But 2fa sometimes doesn't work even for me. Whatever you think could help.

@Gertbfrobe407 19 днів тому

I want to monitor web traffic. I think someone is using my creds to log on and snoop. So that level of monitoring is what I'm seeking 😅 my iPad and pc are left there, so if they are being accessed w/o permission and then snooping is what I assume is happening. P.s. if I just change password I won't catch the culprit.

@sleepymarauder4178 18 днів тому

@@Gertbfrobe407You can do a simple wireshark or go full SIEM mode. The book Cybersecurity for Small Networks fits your need perfectly.

@kwindapp 18 днів тому

Hi can you hack some Weather Windstations serial? 😀 The Tempest Weatherflow

@debanjansaha2256 18 днів тому

Great video bro .. very useful and informative video....bro please improve your videos voice quality

@stan464 11 днів тому

10:00 shorten those ends before it shorts to the board somewhere.

@kwindapp 18 днів тому

any Anemometer would be 🙏👍👍

@thomasvnl 18 днів тому

OpenVPN => Router acts as server, client key/cert are for devices to connect to it

@mattbrwn 18 днів тому

Yeah that makes sense now that I think about it. Wouldn't have the server key sitting their otherwise...

@drewlarson65 18 днів тому

tin the wires first, and keep your poor tip clean... also, apply solder to the work, not the iron. AND FLUX

@roran60 19 днів тому

is it possible to compile a custom version of openwrt for this ?

@mattbrwn 19 днів тому

Yep I bet openwrt/ddwrt already supports this device 😀

@PCGamer1732 День тому

@@mattbrwnIndeed they do, I have one with dd-wrt 🔥

@Smetwork 13 днів тому

One question.. why not make life easier and have a couple barrel plugs with pre soldered wires and just hook them up with clips instead of soldering onto the connector

@mattbrwn 12 днів тому

Sure. But I'm working with what I have. It doesn't have to be perfect. We are engineers not scientists 🙂

@bertblankenstein3738 День тому

I would have just tried a 12V adapter at a lower amp rating. If it didn't work, you could also cut the barrel plug (with some cord) off the adapter with too low a current rating. The soldering while perfectly doable, seems like a lot more work. That said, I'm lacking in gaining root shell access on devices I'm playing with, hence my presence here.