IoT Hacking - Netgear AC1750 NightHawk - UART Root Shell

Подписаться 67 тыс.

Просмотров 30 тыс.

50% 1

** NOTE: Audio is terrible. It was recorded using the wrong mic the entire time. **
In this video we show my initial look at the Netgear AC1750 NightHawk device where I drop a UART root shell quickly and then explore the underlying Linux system.
IoT Hackers Hangout Community Discord Invite:
/ discord
🛠️ Stuff I Use 🛠️
🪛 Tools:
XGecu Universal Programmer: amzn.to/4dIhNWy
Multimeter: amzn.to/4b9cUUG
Power Supply: amzn.to/3QBNSpb
Oscilloscope: amzn.to/3UzoAZM
Logic Analyzer: amzn.to/4a9IfFu
USB UART Adapter: amzn.to/4dSbmjB
iFixit Toolkit: amzn.to/44tTjMB
🫠 Soldering & Hot Air Rework Tools:
Soldering Station: amzn.to/4dygJEv
Microsoldering Pencil: amzn.to/4dxPHwY
Microsoldering Tips: amzn.to/3QyKhrT
Rework Station: amzn.to/3JOPV5x
Air Extraction: amzn.to/3QB28yx
🔬 Microscope Setup:
Microscope: amzn.to/4abMMao
Microscope 0.7X Lens: amzn.to/3wrV1S8
Microscope LED Ring Light: amzn.to/4btqiTm
Microscope Camera: amzn.to/3QXSXsb
About Me:
My name is Matt Brown and I'm an Hardware Security Researcher and Bug Bounty Hunter. This channel is a place where I share my knowledge and experience finding vulnerabilities in IoT systems.
- Soli Deo Gloria
💻 Social:
twitter: / nmatt0
linkedin: / mattbrwn
github: github.com/nma...
#hacking #iot #cybersecurity #reverseengineering #firmware

Опубликовано:

28 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 122

@mattbrwn 5 месяцев назад

NOTE: Audio is terrible. It was recorded using the wrong mic the entire time.

@Log4Jake 5 месяцев назад

Still a great vid. Going to try to find some vulns in one of my routers now.

@colinofay7237 4 месяца назад

No problem

@FUBAU 3 месяца назад

Still great! Thanks and keep it up.

@byronlovesdrifting1 5 месяцев назад

Wake up. New Matt Brown video. Off work. Its gonna be a good day

@Sircliffe 4 месяца назад

Matt who? This is Jim Carrey.

@xDMG15x 5 месяцев назад

That was kind of a dream result! I actually have this Netgear router, i can’t think of anything I would want to modify in the fw right now but its good to know I have the option

@the_beefy1986 4 месяца назад

40:00 (ish): netstat is probably taking a long time because it's trying to do reverse DNS lookups on the IP addresses it's encountering. Try adding a "-n" flag on it next time to avoid this behavior. This same behavior applies to a lot of other common shell utilities such as ping, traceroute, tcpdump, etc. Edit: BTW, I've just discovered your channel and am enjoying your videos immensely. I work in security engineering, and I've always been interested in embedded hardware hacking.

@Skyspace187 4 месяца назад

Get yourself a number of 4-6mm barrel jacks with some terminal caps on the wired end that you can either gator clip or screw into a bench supply. Way way easier than having to solder onto the board. I work on a bunch of home routers to recycle/refurb them with OpenWRT, DD-WRT, etc. It's pretty easy to keep a handful of barrel jack bench supply adapters around for your exact use. :D

@daze8410 4 месяца назад

I just made a barrel to alligator clips before I saw this lol

@SlinkyStoney 5 месяцев назад

You might want to try those DC barrel connectors with screw terminals on the other end. It is commonly used on analog security cameras.

@mattbrwn 5 месяцев назад

That would have been better, but sometimes perfect is the enemy of forward progress.

@SlinkyStoney 5 месяцев назад

@@mattbrwn true

@RyanRath Месяц назад

Dude, I love this content, watching your process uncut, unscripted, showing how you troubleshoot rather than just having it all worked out ahead of time and watching it all work the first time. I Learn so much more this way as I’m staring my hardware hacking endeavor. You’re a stud, keep it up man, I’m sending your vids to all my buddies, if you make it out to defcon one year, hit me up.

@Wageslave645 4 месяца назад

That face when he found the same router as yours in e-waste...😔

@theskelet4r 5 месяцев назад

Amazing Video Matt, Keep it up and thank you for sharing your knowledge and experience with the community

@pablopoo 5 месяцев назад

A device firmware have a lot in common with a docker container. The ro OS is the container, the rw filesystem is the docker volume, and the nvram is the docker environment. (.env)

@kakashisharigan336 5 месяцев назад

interesting

@examen1996 4 месяца назад

Where did you learn this ? This is so cool, combined with my interest in openwrt and routers this video is extremely interesting. There used to be another guy doing reverse engineering and software shananigans with routers, his channel name was Make Me hack, I think you might find his content great for inspiration . Keep the videos coming, your channel has the old youtube vibe, and you clearly know your stuff!

@mattbrwn 4 месяца назад

loved that guys videos but he hasn't posted in awhile :(

@Electrically-Electronic 5 месяцев назад

I want you to make a video about modifying the firmware in the embedded system. Because during my case I have /bin/psh which is a protected shell for the uart. The only way to get around this is modifying the firmware and assigning /bin/sh for it. When I try to do it, LZMA compression turns out to be a big pain. So looking forward for those videos. Btw this video is good overall.

@mattbrwn 5 месяцев назад

Oh yeah I've ran into systems with those annoying limited shells. It feels like you are so close and yet so far from your goal at the same time.

@Electrically-Electronic 5 месяцев назад

@@mattbrwn yes exactly.

@cory4940 4 месяца назад

Just stumbled upon your channel, so glad I did this stuff is mad interesting 🤙🏽

@mytechnotalent 5 месяцев назад

Great one Matt love your hardware reversing vids! I like how you leave nothing abstracted. Hope to see you at DEFCON!

@mattbrwn 5 месяцев назад

I wish I could be at Defcon this year but I won't be able to make it due to some personal reasons. (Very positive ones 😊)

@mytechnotalent 5 месяцев назад

@@mattbrwn well I appreciate your material so much Matt!

@rain2besoon 2 месяца назад

Keep them coming. These are really good

@thebrakshow7415 18 дней назад

This is fun video. I have a few old routers i may have to crack open for science :D

@erickvond6825 4 месяца назад

In situations like this I would recommend soldering the ground to one of the metal shields as their a little easier to attach a wire to.

@SteveRand Месяц назад

22:00 These things often have a TFTP-based recovery app for flashing firmware back on after a bricking event.

@Arm1nas 3 месяца назад

21:25 - This is most likely TFTP, most routers have this functionality, and you can flash firmware with this protocol, commonly used to load custom firmware like OpenWRT, DD-WRT, etc.

@uzairshaikh7955 4 месяца назад

Just 400 likes? This deserves 400k. Come on netizens, come on yt algo, give him what he deserves. Btw have a subscribe.

@elfnetdesigns702 2 месяца назад

The AX series nighthawk wifi 6 routers (at least the one I have) the UART section is not populated with componets on the PCB. The pads are all there, just empty. Dosen't matter really anymore since the router bricked itself due to a failed update that happened to take place when my ISP decided to do some maintenance and the update was partial and now the power led flashes red constantly. No TFTP connection, obviously no UART access. She's a brick.

@TradieTrev 5 месяцев назад

Matt I noticed wlanconfigd process @27:30 Dare say they leave the UART open for debugging purposes from the factory to load the firmware? To mitigate this don't some more secure IoT devices blow an efuse to prevent physical access to the firmware? I have a few quite expensive STM32 devices, but I feel I need the STLink firmware tool to have a crack for a n00b like myself.

@mattbrwn 5 месяцев назад

So the STM32 is a microcontroller which has internal flash. Most/all Linux embedded devices use external flash that is seperate from the CPU. This is why firmware extraction on a microcontroller is harder.

@MacGuffin1 5 месяцев назад

Phyisical access means 'all bets are off' ie; it's your router, you own it and there's not much point in them bothering to try and lock out UART(If your not microsoft or apple, it's prolly a waste of money for them). Interesting that it uses bitdefender and OpenVPN etc.. Scary how many ports they have open omg...

@0xbitbybit 5 месяцев назад

Hey Matt, did you ever finish off the Arlo videos? I watched one yesterday and was pumped for the next one after you said what you were going to do in the next one.......then there is no next one? 😭 you always seem to stop a series right when I need it most, like firmware modification or reverse engineering, noooooo! I've been doing this stuff for a while so would be awesome to see your approach to more challenging stuff. You should show us something like a device that has encrypted firmware, or something where binwalk gives you no results and you have to figure it out, or extracting the firmware is much harder because the flash has protections in place you need to change, or show us modifying some firmware to bypass something and re-flashing the device etc. Also, please keep showing the raw footage, not edited, the little struggles along the way are the most useful to see! Or you might mention extra things that are super helpful 👍

@mattbrwn 5 месяцев назад

I bricked the Arlo device which ended that video series unfortunately. I am trying to do more long form videos where you see the whole process 😁

@0xbitbybit 5 месяцев назад

@@mattbrwn Ahh damn! We've all been there haha, keep them coming 🦾

@shawndonnelly5642 Месяц назад

Is this the netgear nighthawk 1750 (r6700) or (r6400) or (6350)? There's also different versions of them...do you happen to know? I'm just wondering if all of them have the pins on the board or not. I wanna buy one on ebay to follow along. They're pretty cheap. ** This appears to be a r6700 V3. After you listed the ps command, it mentioned it.

@cjshim8744 4 месяца назад

Bitdefender in an anti virus software, did not expect to see it in there

@polesouth-ey5qq 5 месяцев назад

@mattbrwn what is the make/model of your microscope? Maybe list the tech you use in the description. I am a newb. Thanks

@mattbrwn 5 месяцев назад

AmScope SM-4NTP 7X-45X

@worroSfOretsevraH 4 месяца назад

Hey Matt. Have you ever done any console hacking? For example the good old PS3 metldr2 would be a nice challenge. A very, very hard one tho. Hackers unfortunately turned away from the PS3 a long time ago, so someone skilled is needed to nail it down for good...

@mattbrwn 4 месяца назад

No I haven't and unfortunately I gave away my PS3 a few years ago

@Gary-ve6ll 5 месяцев назад

Can you do a cable modem or even a cable set top box would be interesting to see whats inside 🎉

@mattbrwn 5 месяцев назад

ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-yI7LdGyXsns.html

@Gary-ve6ll 5 месяцев назад

@mattbrwn ohhh didn't even see that am of to watch it

@D95SI420 4 месяца назад

if it can run a aftermarket firmware like dd-wrt or tomato all these types of routers are easy to hack.

@MattMellen1337 5 месяцев назад

@mattbrwn Do you have any experience with Sonicwall devices? I've got uart on a sonicwave 231c that I retrieved from ewaste and would like to dig in on it. I have two, one is factory reset and the other is still sitting while I poke at the open one.

@mattbrwn 5 месяцев назад

No experience with that stuff no. Would love to see any progress you make!

@vergil9397 5 месяцев назад

I really want to see how you will find somebug on IoT device from the beginning (dump firmware, Reverse,...). Love your contents

@mattbrwn 5 месяцев назад

I think that full arc should be possible on this device.

@vergil9397 5 месяцев назад

@@mattbrwn thats awesome man,

@atrocitus777 5 месяцев назад

with those four pins exposed like that could you still have gotten the root shell without soldering the extra wires and just used that usb cable and the power supply?

@mastekillerKurD 3 месяца назад

Hey Matt, I’ve been interested in iot security and was trying to follow along with my netgear ac1900 c7000v2, I’m able to get a terminal but the party ends as it gets stuck at the console handover boot -> real, my assumption is because of the baudrate? Would you happen to have any experience with this router?

@mattbrwn 3 месяца назад

They might have UART disabled after the bootloader on that model. hop into our discord and post some screenshots + terminal output for some more detailed help.

@drewlarson65 5 месяцев назад

tin the wires first, and keep your poor tip clean... also, apply solder to the work, not the iron. AND FLUX

@thomasvnl 5 месяцев назад

OpenVPN => Router acts as server, client key/cert are for devices to connect to it

@mattbrwn 5 месяцев назад

Yeah that makes sense now that I think about it. Wouldn't have the server key sitting their otherwise...

@Iron_Condorr 5 месяцев назад

Hey @Matt , I am trying to remotely monitor my home network. How would you do this? Currently, I'm looking to use my esp32. Do you know the best method? Or I have a Nexus 7 running nethunter. Ideally, I'd have a battery bank for power, monitoring over WiFi. Any resources or help is appreciated 😊

@mattbrwn 5 месяцев назад

When you say you want to monitor your network what specifically do you want to monitor for?

@Iron_Condorr 5 месяцев назад

@mattbrwn internet traffic, and any unauthorized access. I think someone is using my credentials to access my stuff. But 2fa sometimes doesn't work even for me. Whatever you think could help.

@Iron_Condorr 5 месяцев назад

I want to monitor web traffic. I think someone is using my creds to log on and snoop. So that level of monitoring is what I'm seeking 😅 my iPad and pc are left there, so if they are being accessed w/o permission and then snooping is what I assume is happening. P.s. if I just change password I won't catch the culprit.

@sleepymarauder4178 5 месяцев назад

@@Iron_CondorrYou can do a simple wireshark or go full SIEM mode. The book Cybersecurity for Small Networks fits your need perfectly.

@stan464 5 месяцев назад

10:00 shorten those ends before it shorts to the board somewhere.

@deeurb916 2 месяца назад

Hey Matt, where would I get a hold of you? I have a Wi-Fi pineapple I want to donate to you. I don't know. Wat you could do that??👍 Thank you for all your expertise.

@feff6754 5 месяцев назад

Great content!

@crouchermike 4 месяца назад

Smart TV?

@debanjansaha2256 5 месяцев назад

Great video bro .. very useful and informative video....bro please improve your videos voice quality

@johanbtheman 5 месяцев назад

Cool. Nice man cave as well

@kwindapp 5 месяцев назад

any Anemometer would be 🙏👍👍

@weblord64 2 месяца назад

If all you wanted to get is the wifi password, why not connect with WPS and see the password? Would be more interesting if we needed to get admin login of router config page.

@Gritaremos 4 месяца назад

who's Jeannine? Couldn't help myself and pause the video in the section that was blurred lol

@gigglesseven 4 месяца назад

vgtr bell vegertable

@Plowing 5 месяцев назад

first

@jiinueleo2211 4 месяца назад

Any other 12v adapter would have worked fine, no need for it to be 2.5 exact. 12 mins start of video was a waste

@ripplerxeon 3 месяца назад

And when you don't have it then? Bro is watching free video and complaining,

@argentinomacrifuevidaltamb3772 5 месяцев назад

Excelente trabajo.

@sma2981 4 месяца назад

that router is beast. you can use merlin firmware.

@daze8410 4 месяца назад

I was able to do this and you do not need 'nvram show', just run 'routerinfo'

@daze8410 4 месяца назад

nvm, just shows defaults

@Spudz76 4 месяца назад

netstat needs "-n" to quit trying to do reverse-dns lookups on every IP (which is why it's slow when there is no accessible DNS server) also netstat is officially deprecated, 'ss -nlp' is the new command, although some busyboxen may not have that at all

@roran60 5 месяцев назад

is it possible to compile a custom version of openwrt for this ?

@mattbrwn 5 месяцев назад

Yep I bet openwrt/ddwrt already supports this device 😀

@PCGamer1732 4 месяца назад

@@mattbrwnIndeed they do, I have one with dd-wrt 🔥

@IceburgSlim8481 3 месяца назад

bro do u sell those devices or accept any from users b/c i have a box of old devices i could send you to tinker with

@mattbrwn 3 месяца назад

I'm working on a solution where ppl can send me stuff. stay tuned.

@edwinking4407 5 месяцев назад

Matt is really coming back.

@tylersharpe9413 5 месяцев назад

Thanks for making these videos. Very informative.

@by010 4 месяца назад

To be honest, I think its better that way that debug port is clearly marked as such and if you plug into it, the device dosent give you any trouble to get to root. Afterall its your device it does mean to "own" to get the lovely root shell.

@KennethLongcrier Месяц назад

I was surprised that you didn't feed 12V ( V++) back through your jtag connector...

@flamehead7665 Месяц назад

I've got the same router with DDWRT on it but don't use it because I'm not sure exactly how to set it up and use all the fun cyber security options. I flashed it in hopes of using my phone as a modem and using the Router as a router via USB but I can't find any good tutorials on it.

@phxsisko 5 месяцев назад

I have a pair of R8000's I flashed to DD-WRT for the extra features and especially better security over negears trash firmware. I recently changed out my gateway to a 4x10G/5x2.5G NIC - 8 core Qotom box running an open source firewall - I keep those R8000's around when I need a quick, portable 1G network preconfigured I can take with me on the road (in a car, not a plane).

@realmstupid-on8df 3 месяца назад

Is all your heat getting sucked into that return vent

@varuntech5690 4 месяца назад

Great video!!!. I just want to know which linux you are using and which window manager it is and it's theme? Thank you.

@mattbrwn 4 месяца назад

Arch Linux with i3wm

@whodaFru4551 5 месяцев назад

It would drive me crazy getting constantly interrupted by the ping and the other commands outputs, especially if you have to enumerate for hours. Would it be possible to start an ssh server and connect that way to get a proper shell/environment?

@mattbrwn 5 месяцев назад

Yep most openwrt devices will have the dropbear ssh server you can start. I definitely setup ssh when doing longer looks at a device like this because of the annoying console output you mentioned.

@frosty1433 4 месяца назад

Hack a Roku

@pl46u3 4 месяца назад

Vol on 69%

@pb_y43 5 месяцев назад

Second

@StevenHokins 5 месяцев назад

Very cool

@pablopoo 5 месяцев назад

If you have access to a gen2 unifi switch, please do a video on that devices. Unifi removed the switch console port, so any information on how to access the console will be useful (firmware recovery)

@kwindapp 5 месяцев назад

Hi can you hack some Weather Windstations serial? 😀 The Tempest Weatherflow

@Falney 4 месяца назад

You should get your self an assortment of barrel Jack sizes and put connectors on them for your psu.

@Smetwork 5 месяцев назад

One question.. why not make life easier and have a couple barrel plugs with pre soldered wires and just hook them up with clips instead of soldering onto the connector

@mattbrwn 5 месяцев назад

Sure. But I'm working with what I have. It doesn't have to be perfect. We are engineers not scientists 🙂

@bertblankenstein3738 4 месяца назад

I would have just tried a 12V adapter at a lower amp rating. If it didn't work, you could also cut the barrel plug (with some cord) off the adapter with too low a current rating. The soldering while perfectly doable, seems like a lot more work. That said, I'm lacking in gaining root shell access on devices I'm playing with, hence my presence here.

@miguelreed2499 4 месяца назад

There's an app and you can also enable auto updates on netgear devices now.

@NolanWhitaker-ih1fb 4 месяца назад

Matt, is there a hardware version for this router?

@petergaudiomonte1080 4 месяца назад

I love this stuff man thank you!

@antonyjose2231 5 месяцев назад

Hay matt what WM are using for your OS, looks really clean and easy on the resources. Love the videos ❤

@mattbrwn 5 месяцев назад

using i3wm with i3gaps

@nate4379 4 месяца назад

try netstat with -p ( helps to see the process tied to the port) Not uncommon for developers to use non standard ports.

@dabunnisher29 5 месяцев назад

Hello Matt. Really like your channel. Could you suggest resources and hardware for a noob like me? I have a lot of experience with raspberry pi's and basic electronics, but would like to learn hardware hacking as well. Thank you in advance.

@mattbrwn 5 месяцев назад

Do you have a specific thing that you want to learn? Hardware hacking is a wide category that includes a bunch of stuff. But generally I always have fun grabbing a device from ewaste or a thrift store and learning as much as I can about that target device.

@dabunnisher29 5 месяцев назад

@@mattbrwn Thank you very much for taking the time to respond to my questions. I’m looking for the basics: Essential hardware needed (UART readers, etc.), Essential Software to interact with the target item, and Essential reference material to be able to learn how to interact with the target item. Also, simple projects that a noob would be able to work on. I have Raspberry Pi’s and Raspberry Pi Pico’s (with pico probe). Would I be able to use those to interact with the items?

@dabunnisher29 4 месяца назад

@@mattbrwn Wow.... Thanks for your non-help with resources.