BSWJ: binwalk

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 minutes
Difficulty
Intermediate
Video Transcription
00:00
>> [MUSIC] Hello everyone and
00:00
welcome back to Breaking Stuff With Joe
00:00
here on Cybrary On Demand.
00:00
Today we're going to be talking about the tool Binwalk.
00:00
Now, Binwalk is a great forensic utility
00:00
for examining firmware images
00:00
>> and extracting executables,
00:00
>> images, different file types.
00:00
Just anything you might be able to
00:00
pull from a firmware image,
00:00
this is capable of doing.
00:00
It's a really simple tool to use,
00:00
very, very effective,
00:00
and it's a great way to do that first-pass scan
00:00
of any target of
00:00
forensic activity if you have a firmware image.
00:00
We're going to see how easy it is to use,
00:00
we're going to see how useful it is,
00:00
and we're going to actually show it in use
00:00
here on Breaking Stuff With Joe.
00:00
As usual, here we are back in our Kali VM.
00:00
Now, you may note that the text on
00:00
the screen is a little bit smaller than usual,
00:00
a little bit tougher to read.
00:00
There's a good reason for that.
00:00
You'll see in just a second.
00:00
As I said before in the intro,
00:00
we're looking at the tool called Binwalk today.
00:00
It's a quick look because it's
00:00
a pretty easy tool to use at its most basic level.
00:00
All Binwalk is really doing is searching
00:00
through a given binary image.
00:00
Generally speaking,
00:00
firmware images are what you're looking for.
00:00
It's just hunting for any file signatures, any images,
00:00
any files that it can find inside of that firmware.
00:00
[NOISE] We're going to go ahead and we're going to just
00:00
do a quick example to see how you could use this tool.
00:00
Now, I downloaded a firmware file off of
00:00
the Intel website pretty much at random.
00:00
We're going to go ahead, we're just going
00:00
to run against that.
00:00
First, just to get a look at
00:00
all the different options you have with
00:00
Binwalk because it is a pretty hefty tool.
00:00
You can see that it will attempt to
00:00
extract known file types,
00:00
if you give it that opportunity,
00:00
it will attempt to calculate file entropy.
00:00
You can find all sorts of different signatures,
00:00
which is what we're going to be looking for in this case.
00:00
We're going to be using this tack B option here in just a
00:00
second to find common file signatures.
00:00
You can see we have disassembly scan options,
00:00
binary differential options.
00:00
This is a very robust tool that can perform
00:00
very in-depth forensic analysis on
00:00
this binary that we have access to.
00:00
In this case, we're really just wanting to
00:00
take a quick look and see what we can pull out
00:00
at an initial scan and see what information we
00:00
can gather with basically no work.
00:00
We're going to go ahead and run Binwalk,
00:00
tack B, and then we'll just autocomplete with this file.
00:00
Again, this is just a firmware image
00:00
that I pulled down from Intel.
00:00
You can see this is why we didn't zoom in.
00:00
If you zoom in it becomes very, very difficult to read.
00:00
Here you can see we've got
00:00
a few different pieces of information.
00:00
We have the decimal location,
00:00
the hexadecimal, and then we have
00:00
a description of what was found there.
00:00
This is again just looking for common file signatures,
00:00
and as soon as it finds one,
00:00
it reports the location both in decimal and hexadecimal,
00:00
and then it gives you a description.
00:00
It's got an ARG archive data,
00:00
so these are archives.
00:00
You can see most of the files are
00:00
found in archives with some exceptions.
00:00
We have two copyright strings
00:00
here both saying copyright from Intel.
00:00
You can see that we've got an initial look at
00:00
all the different pieces of
00:00
file information already in here.
00:00
You can see over here we've got
00:00
the original names of
00:00
these different files that have
00:00
been turned into archives.
00:00
You can see that the OS is for MS-DOS,
00:00
is for a Windows system.
00:00
The compressed file size versions,
00:00
you can do some digging into these ARJs.
00:00
Of course, because we know where they are and we know
00:00
that Binwalk is able to identify them very easily,
00:00
we can extract those actual archives
00:00
and start digging through them.
00:00
Now, it would be the subject of a much more
00:00
focused and of course, much longer course.
00:00
But that's the work that you can start doing
00:00
and start playing around with this tool
00:00
on your own time and then in some of
00:00
the labs that we have available here on Cybrary.
00:00
That's all there is for this tool, Binwalk.
00:00
Again, it is a tool for
00:00
forensic examination of firmware images
00:00
or really any binary,
00:00
but most specifically and most
00:00
generally, firmware images.
00:00
Thank you all for watching.
00:00
This has been Breaking Stuff With Joe
00:00
on Cybrary On Demand.
00:00
[MUSIC]