Skip to content

Feature overview

Endri Hoxha edited this page Aug 21, 2023 · 75 revisions

It's quite difficult to summarize all the features of EMBA, simply because there are too many of them. Therefore, all modules (which are the core of EMBA) will be listed in the correct order of (non-parallel) execution and briefly described.

Pre-modules (P):

These modules will be loaded and called before anything else. Their primary task is to extract firmware out of files/archives and to search for basic information, such as how many files and binaries are available.

  • P02 Basic binary firmware analyzer
    Gives some very basic information about the provided firmware binary. The main tasks currently are:

    • Entropy test with ent
    • Checks the firmware file and select the corresponding extraction modules
    • Does some visualisation via pixd
  • P05 archive extractor
    If EMBA identify a *.zip, *.tar or *.tgz archive, then it will be extracted with patool.

  • P10 VMDK extractor
    If EMBA was able to identify a VMDK image it tries to mount it via guestmount. If this mount was successful, the content will get copied to the firmware directory in the EMBA log directory for further analysis.

  • P14 Mount ext2 images
    Mounts and copies ext images to your disk. Using binwalk with those images kills the permissions and the symlinks and therefore mounting and copying them is the better choice.

  • P15 UBI filesystems extractor
    Extracts UBI filesystems via ubireader_extract_images and ubireader_extract_files.

  • P17 Extract gpg compressed images
    Extracts gpg compressed firmware images (mostly seen to be used by Linksys/Belkin).

  • P19 Mount BSD UFS images
    Mounts and copies BSD UFS images to your disk.

  • P20 Foscam Decryptor
    Extracts encrypted firmware images from the vendor Foscam.

  • P21 Buffalo Decryptor
    Extracts encrypted firmware images from the vendor Buffalo.

  • P22 Extracts Zyxel firmware updates images
    See also the DEF CON 30 Talk - Tear Down this Zywall: Breaking Open Zyxel Encrypted Firmware by Jay Lagorio for further details.

  • P23 Mount Qemu QCOW2
    Mounts and extracts Qemu QCOW2 images.

  • P25 Extracts Android OTA update files
    Generates filesystem directory with payload_dumper

  • P35 UEFI Extractor
    Extracts UEFI images with BIOSUtilities.

  • P55 Unblob firmware extractor This module uses the unblob firmware extractor for extracting the firmware file. image

  • P60 Binary firmware extractor
    If the extraction process of EMBA was failing this module walks through all files and tries to extract every file with the corresponding extractor module - this is the so called deep extraction mode.

  • P65 Package extractor Searches for typical package archives like *.deb, *.ipk or *.apk and extracts them to the root directory. image

  • P99 Binary firmware basic analyzer
    This module performs some last preparation tasks before starting the analysis through the Core modules.

Core modules (S):

These are the core modules of EMBA. This includes checks for possible vulnerabilities, hardening measures or just interesting details of the firmware. These modules are currently optimized for Linux systems.

  • S02 UEFI FwHunt
    Uses FwHunt for identification of vulnerabilities in possible UEFI firmware images.

  • S05 Firmware and testing details
    Counts the number of files and executables in firmware and stores the firmware structure in the log files. It also searches through possible release files config/release_files.cfg for operating system identifiers.

  • S06 Linux distribution detection
    Checks for typical marker of known distributions like Kali Linux, Debian or OpenWRT.

  • S09 Binary firmware version detection
    Iterates through all binaries of the firmware and does static version detection. These versions are used from the F20 module to detect outdated software components and the corresponding vulnerabilities (CVE) and possible exploits.
    image

  • S10 Check binaries
    This module was the first module that existed in EMBA. The main idea is to identify the binaries that are using interesting and weak functions (e.g. strcpy) and to establish a ranking of areas to look at first.

  • S12 Binary protection check
    This module checks for protection mechanisms in the identified binaries via checksec.

  • S13 Weak function check
    This module was the extended S10 module. It iterates through all executables and generates a disassembly with objdump. This disassembly is further analysed for interesting functions like strcpy (defined in helpers.cfg). Additionally it counts these functions and shows which binary uses which function most.


    If this module failes using objdump, the module S14 tries to disassemble the binaries with radare2.

  • S14 Weak function check with radare2
    As S13 it iterates through all executables and generates a disassembly with radare2. All other steps are quite similar to S13. As the module runs quite long with high CPU load it only gets executed when the objdump module fails.

  • S15 Check bootloader and system startup
    Scans for device tree blobs, bootloader and startup files and checks for the default runlevel.

  • S20 Check shell scripts with shellchecker
    Checks for bugs, stylistic errors, etc. in shell scripts, then it lists the found error types.

  • S21 Check python scripts with pylint
    Checks for bugs, stylistic errors, etc. in python scripts, then it lists the found error types.

  • S22 Check php scripts with progpilot
    Checks for bugs, stylistic errors, etc. in php scripts, then it lists the found error types. It also checks the php.ini file.

  • S24 Find kernel and startup parameters in extracted files
    Identifies the kernel file and the init command line.

  • S25 Check kernel
    Determines kernel version and description and checks for kernel configuration. It uses linux-exploit-suggester to check for possible kernel exploits and analyzes kernel modules to find which license they have and if they are stripped. It also looks for the modprobe.d directory and lists its content.

  • S35 Check HTTP files
    Searches for http and webserver (Apache, nginx, Lighttpd, etc.) related files and checks for php.ini.

  • S40 Search files with weak permissions
    Scans the firmware for setuid, setgid, world writable and shadow files and checks if all rc.d and init.d files have weak permissions.

  • S45 Search password files
    Searches for password related files and tries to extract passwords and root accounts.

  • S50 Check users, groups and authentication
    Checks for users with UID 0; for non-unique accounts, group IDs, group names; scans all available user accounts and possible NIS(+) authentication support. It looks up sudoers file and analyzes it for possible vulnerabilities. It also searches for PAM authentication files and analyze their usage.

  • S55 Search history files
    Searches for possible history files like .bash_history.

  • S60 Search certification files and other interesting stuff
    Scrapes firmware for certification files and their end date. On outdated certificates it prints a warning.

  • S65 Search/scan config file
    Scans system for typical config files, e.g. *.cfg or fstab and analyzes fstab for user details.

  • S70 Search hidden files
    Searches for all hidden files in the firmware.

  • S75 Search network configs
    A more exceptional search for files like resolv.conf, iptables.conf and snmpf.conf and analyzes their content. Checks systemd network configuration files.

  • S80 Check cronjobs
    Examine all files for cronjob configuration, e.g. cron or crontab and lists their jobs and other possible intriguing details.

  • S85 Check SSH
    Searches for ssh-related files and squid configuration files. Additionally it tests found sshd configuration files with sshdc.

  • S90 Search Mail files
    Searches in /var/mail for mail files.

  • S95 Check interesting binaries
    Searches explicitly for binaries like gcc or gdb and also binaries for post exploitation like wget or ftp.

  • S100 Search areas for command injection
    Looks for web-based files in folders like www and searches for very basic code execution patterns inside of them. This module is currently in a very early state and needs massive improvements.

  • S106 Deep analysis of files for private keys
    Searches for files with a private key inside.

  • S107 Deep analysis of files for password hashes
    Tests all firmware files for password hashes.

  • S108 Deep analysis of files for password hashes with stacs
    Tests all firmware files for password hashes with the stacs engine and the corresponding community ruleset.

  • S110 Check for code patterns with yara
    Checks files with yara for suspicious patterns.

  • S115 Software component and version detection via usermode emulation
    Emulates firmware executables with qemu to identify version details. This module and needs to be activated separately via the -E switch. It is also recommended to only use this technique in a dockerized environment.

  • S116 Extract version information from S115
    Analyzes the results from the user-mode emulator (S115) and extracts version details. image Learn more about the emulator.

  • S120 Check binaries with cwe-checker
    Runs cwe-checker to check binary for common bug classes such as vicious functions or integer overflows. As the runtime is quite long, it needs to be activated separately via -c switch.

Live testing modules (L):

These modules are trying to emulate the embedded device in system emulation mode. See also this wiki page for further details.

Finishing modules (F):

These modules are the last ones in an EMBA run. They are used for summarizing and presenting an overview of the results of previous modules.

  • F10 License summary
    Collects license details and gives a list with binaries, identified version and the corresponding license (if available). The license details are maintained in the configuration file config/bin_version_strings.cfg.
    image

  • F20 Final CVE aggregator
    Aggregates all found version numbers together from S06, S09, S25 and S116 and searches with cve-search for known vulnerabilities. Finally it checks multiple sources for known exploits that could possible be used against the target system.
    image Learn more about the aggregator.

  • F21 CycloneDX SBOM converter This module generates a minimal json SBOM from the identified software inventory via cyclonedx. image

  • F50 Final aggregator
    Generates the final summary and report of the firmware analysis. image image image Learn more about the aggregator.