How to Use binwalk (BSWJ)

In this “How to Use binwalk (BSWJ)” course, cybersecurity expert Joe Perry takes you on another “Breaking Stuff with Joe” (BSWJ) adventure by showing you how to use the analysis tool binwalk to find executable code and embedded files inside binary files. Such images can be used to crack IoT devices.

Course Content

BSWJ: binwalk


BSWJ: binwalk
Course Description

Why use Binwalk?

Welcome to Breaking Stuff with Joe, where we explore some of the most crucial cybersecurity tools available for use in Kali Linux. In this section, we will be discussing binwalk, an analysis tool for finding executable code and embedded files inside binary files. More specifically, it is often used to find and extract firmware images from binary files. These images can be used to crack IoT devices or any device that relies on code that is embedded into hardware.

*Cybrary has a lot more to offer than this Binwalk tutorial. Signup for a free account to learn other things, like this!*

Where does Binwalk come from?

Binwalk was developed as an open source program for extracting embedded files out of firmware images. The program was developed by Craig Heffner, a Principal Reserve Engineer for ReFirm Labs. ReFirm Labs is a cybersecurity company that specializes in preventing firmware hacks, discovering firmware exploits, and providing open-source software for firmware hacking.

How to use Binwalk?

In order to properly utilize binwalk, we must first understand what firmware is. In short, firmware is software that is designed for hardware. As the name implies, it is something between hardware and software. Firmware is physically contained within the device’s hardware, and it is designed to be updated by online networks or physical media. For example, a DSLR camera contains firmware within its physical chips (hardware) for taking photos, storing them, rendering menus, interpreting physical button inputs, and navigating stored memory. In order to maintain compatibility with photo software on host computers, firmware updates can be provided over the internet and USB connections.

Installing binwalk is a non-issue; it comes pre-built within installations of Kali Linux. As per usual, consulting the manual page of the program will provide additional info on its function and optional flags. This is done using the manual command as such:

man binwalk

Alternatively, we can use the help option flag to discover more information:

binwalk –h

These flags in particular will be useful when extracting embedded files from binary files:

-B: this flag searches for common file signatures in the firmware image -e: this flag extracts all embedded files in the firmware image -S: this flag searches for a text string within the firmware image -M: this flag recursively scans the files within extracted files

Once understood, this tool is relatively simple and straightforward. In order to understand the function of binwalk, let’s take a look an example extraction of a firmware binary: Say you want to analyze or reverse engineer a firmware update file for a car’s GPS navigation system. Assume the firmware file name is “GPSNavSystem1123.bin”. We want to identify common file signatures in the firmware image, or addresses within the code that indicate well-known use-cases. In this scenario, our console command would look like this:

binwalk –B GPSNavSystem1123.bin

Once executed, the command will return a table of decimal addresses in the code along with their hexadecimal counterpart. Next to the addresses will be a short description of the code’s function. Hackers can then use these addresses to identify and tinker with the program’s code. For example, a hex editor can be used to remove essential lines of code and cause the firmware update to render the device unusable.

Teaching Assistant George Mcpherson and Vikramajeet Khatri

(Disclaimer: Breaking Stuff with Joe is a Cybrary series that will be running indefinitely. You will not earn CEU/CPE hours by watching any individual 'Breaking Stuff with Joe' episode. However, you can still earn a certificate of completion for each episode completed.)

This course is part of a Career Path:
Become a SOC Analyst - Level 3
This Career Path is for a Security Operations Center Analyst (SOC Analyst). This particular Career Path covers a more advanced-level SOC role. As a SOC Analyst, your primary duty is to ensure that the organization’s digital assets are secure and protected from unauthorized access. That means that you are responsible for protecting both online and on-premise infrastructures, monitoring data to identify suspicious activity, and identifying and mitigating risks before there is a breach. In the event that a breach does occur, a SOC analyst will be on the front line, working to counter the attack.

Instructed by

Joe Perry

I’m a graduate of the Joint Cyber Analysis Course, the Advanced Cyber Training Program, and the Computer Network Operations Development Program. I’ve offered consultation to organizations of sizes from 10 employees to tens of thousands of employees, and I’ve contributed to dozens of security curricula and training programs.

In my rare free time, I write tabletop and live action games, and manage events and gaming conventions. In the even more rare downtime between those events, I enjoy reading and rowing. In 2019 I’m working on a personal project to read 100 new books by the end of the year.

Cybrary Logo
Certification Body
Certificate of Completion

Complete this entire course to earn a How to Use binwalk (BSWJ) Certificate of Completion