WEBVTT

00:00.000 --> 00:06.750
>> [MUSIC] Hello everyone and

00:06.750 --> 00:08.430
welcome back to
Breaking Stuff With Joe

00:08.430 --> 00:10.395
here on Cybrary On Demand.

00:10.395 --> 00:12.750
Today we're going to be talking
about the tool Binwalk.

00:12.750 --> 00:15.735
Now, Binwalk is a
great forensic utility

00:15.735 --> 00:17.400
for examining firmware images

00:17.400 --> 00:19.304
>> and extracting executables,

00:19.304 --> 00:21.655
>> images, different file types.

00:21.655 --> 00:23.250
Just anything you
might be able to

00:23.250 --> 00:24.850
pull from a firmware image,

00:24.850 --> 00:26.400
this is capable of doing.

00:26.400 --> 00:28.170
It's a really
simple tool to use,

00:28.170 --> 00:29.430
very, very effective,

00:29.430 --> 00:32.325
and it's a great way to
do that first-pass scan

00:32.325 --> 00:33.660
of any target of

00:33.660 --> 00:36.015
forensic activity if you
have a firmware image.

00:36.015 --> 00:37.520
We're going to see how
easy it is to use,

00:37.520 --> 00:38.915
we're going to see
how useful it is,

00:38.915 --> 00:40.610
and we're going to
actually show it in use

00:40.610 --> 00:43.500
here on Breaking Stuff With Joe.

00:44.180 --> 00:48.070
As usual, here we are
back in our Kali VM.

00:48.070 --> 00:50.090
Now, you may note
that the text on

00:50.090 --> 00:52.280
the screen is a little
bit smaller than usual,

00:52.280 --> 00:53.570
a little bit tougher to read.

00:53.570 --> 00:54.905
There's a good reason for that.

00:54.905 --> 00:56.500
You'll see in just a second.

00:56.500 --> 00:58.265
As I said before in the intro,

00:58.265 --> 01:00.380
we're looking at the tool
called Binwalk today.

01:00.380 --> 01:01.700
It's a quick look because it's

01:01.700 --> 01:04.415
a pretty easy tool to use
at its most basic level.

01:04.415 --> 01:06.290
All Binwalk is really
doing is searching

01:06.290 --> 01:08.240
through a given binary image.

01:08.240 --> 01:09.110
Generally speaking,

01:09.110 --> 01:11.620
firmware images are what
you're looking for.

01:11.620 --> 01:15.620
It's just hunting for any
file signatures, any images,

01:15.620 --> 01:19.430
any files that it can find
inside of that firmware.

01:19.430 --> 01:22.610
[NOISE] We're going to go
ahead and we're going to just

01:22.610 --> 01:25.790
do a quick example to see
how you could use this tool.

01:25.790 --> 01:27.920
Now, I downloaded a
firmware file off of

01:27.920 --> 01:30.425
the Intel website
pretty much at random.

01:30.425 --> 01:31.850
We're going to go
ahead, we're just going

01:31.850 --> 01:33.455
to run against that.

01:33.455 --> 01:35.030
First, just to get a look at

01:35.030 --> 01:36.290
all the different
options you have with

01:36.290 --> 01:39.185
Binwalk because it is
a pretty hefty tool.

01:39.185 --> 01:40.640
You can see that
it will attempt to

01:40.640 --> 01:42.120
extract known file types,

01:42.120 --> 01:43.670
if you give it that opportunity,

01:43.670 --> 01:45.530
it will attempt to
calculate file entropy.

01:45.530 --> 01:47.300
You can find all sorts
of different signatures,

01:47.300 --> 01:49.810
which is what we're going to
be looking for in this case.

01:49.810 --> 01:52.460
We're going to be using this
tack B option here in just a

01:52.460 --> 01:55.190
second to find common
file signatures.

01:55.190 --> 01:57.020
You can see we have
disassembly scan options,

01:57.020 --> 01:58.760
binary differential options.

01:58.760 --> 02:01.130
This is a very robust
tool that can perform

02:01.130 --> 02:03.500
very in-depth
forensic analysis on

02:03.500 --> 02:05.990
this binary that
we have access to.

02:05.990 --> 02:07.550
In this case, we're
really just wanting to

02:07.550 --> 02:09.530
take a quick look and
see what we can pull out

02:09.530 --> 02:11.690
at an initial scan and
see what information we

02:11.690 --> 02:14.415
can gather with
basically no work.

02:14.415 --> 02:16.290
We're going to go
ahead and run Binwalk,

02:16.290 --> 02:20.375
tack B, and then we'll just
autocomplete with this file.

02:20.375 --> 02:21.995
Again, this is just
a firmware image

02:21.995 --> 02:24.220
that I pulled down from Intel.

02:24.220 --> 02:28.005
You can see this is
why we didn't zoom in.

02:28.005 --> 02:33.540
If you zoom in it becomes
very, very difficult to read.

02:33.540 --> 02:35.240
Here you can see we've got

02:35.240 --> 02:37.505
a few different pieces
of information.

02:37.505 --> 02:40.340
We have the decimal location,

02:40.340 --> 02:41.450
the hexadecimal,
and then we have

02:41.450 --> 02:43.555
a description of what
was found there.

02:43.555 --> 02:46.730
This is again just looking
for common file signatures,

02:46.730 --> 02:48.245
and as soon as it finds one,

02:48.245 --> 02:51.200
it reports the location both
in decimal and hexadecimal,

02:51.200 --> 02:52.850
and then it gives
you a description.

02:52.850 --> 02:54.920
It's got an ARG archive data,

02:54.920 --> 02:56.105
so these are archives.

02:56.105 --> 02:57.650
You can see most
of the files are

02:57.650 --> 02:59.450
found in archives
with some exceptions.

02:59.450 --> 03:01.110
We have two copyright strings

03:01.110 --> 03:04.260
here both saying
copyright from Intel.

03:04.260 --> 03:07.355
You can see that we've
got an initial look at

03:07.355 --> 03:09.025
all the different pieces of

03:09.025 --> 03:11.090
file information
already in here.

03:11.090 --> 03:12.650
You can see over here we've got

03:12.650 --> 03:13.820
the original names of

03:13.820 --> 03:14.930
these different files that have

03:14.930 --> 03:16.250
been turned into archives.

03:16.250 --> 03:18.500
You can see that the
OS is for MS-DOS,

03:18.500 --> 03:19.865
is for a Windows system.

03:19.865 --> 03:22.160
The compressed file
size versions,

03:22.160 --> 03:25.040
you can do some digging
into these ARJs.

03:25.040 --> 03:27.320
Of course, because we know
where they are and we know

03:27.320 --> 03:29.830
that Binwalk is able to
identify them very easily,

03:29.830 --> 03:31.820
we can extract those
actual archives

03:31.820 --> 03:32.870
and start digging through them.

03:32.870 --> 03:34.640
Now, it would be the
subject of a much more

03:34.640 --> 03:36.605
focused and of course,
much longer course.

03:36.605 --> 03:38.210
But that's the work that
you can start doing

03:38.210 --> 03:39.980
and start playing
around with this tool

03:39.980 --> 03:41.780
on your own time
and then in some of

03:41.780 --> 03:44.395
the labs that we have
available here on Cybrary.

03:44.395 --> 03:47.080
That's all there is for
this tool, Binwalk.

03:47.080 --> 03:48.200
Again, it is a tool for

03:48.200 --> 03:51.035
forensic examination
of firmware images

03:51.035 --> 03:52.100
or really any binary,

03:52.100 --> 03:53.360
but most specifically and most

03:53.360 --> 03:55.250
generally, firmware images.

03:55.250 --> 03:56.550
Thank you all for watching.

03:56.550 --> 03:57.990
This has been Breaking
Stuff With Joe

03:57.990 --> 03:59.520
on Cybrary On Demand.

03:59.520 --> 04:06.970
[MUSIC]