Performs firmware image extraction and analysis using binwalk to identify embedded filesystems, compressed archives, bootloaders, kernel images, and cryptographic material. Covers entropy analysis for detecting encrypted or compressed regions, recursive extraction of nested archives, SquashFS/CramFS/JFFS2 filesystem mounting, and string analysis for credential and configuration discovery. Activates for requests involving firmware reverse engineering, IoT device analysis, embedded system security assessment, or router/camera firmware extraction.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-firmware-extraction-with-binwalkExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-firmware-extraction-with-binwalk from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-firmware-extraction-with-binwalk. Access via /performing-firmware-extraction-with-binwalk in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | performing-firmware-extraction-with-binwalk |
| description | 'Performs firmware image extraction and analysis using binwalk to identify embedded filesystems, compressed archives, bootloaders, kernel images, and cryptographic material. Covers entropy analysis for detecting encrypted or compressed regions, recursive extraction of nested archives, SquashFS/CramFS/JFFS2 filesystem mounting, and string analysis for credential and configuration discovery. Activates for requests involving firmware reverse engineering, IoT device analysis, embedded system security assessment, or router/camera firmware extraction. ' |
| domain | cybersecurity |
| subdomain | firmware-analysis |
| tags | - firmware - binwalk - extraction - entropy - IoT-security - reverse-engineering |
| version | 1.0.0 |
| author | mukul975 |
| license | Apache-2.0 |
| nist_csf | - ID.RA-01 - PR.PS-01 - DE.AE-02 |
Do not use for analyzing standard desktop application binaries or malware samples that are not firmware images; use dedicated malware analysis tools instead.
pip install binwalk3 or from system package manager)unsquashfs) for mounting extracted SquashFS filesystemspip install jefferson)strings utility (GNU binutils) for string extractionPerform a signature scan to identify embedded file types and their offsets:
# Basic signature scan - identify all recognized file types
binwalk firmware.bin
# Scan with verbose output showing confidence levels
binwalk -v firmware.bin
# Scan for specific file types only
binwalk -y "squashfs" firmware.bin
binwalk -y "gzip\|lzma\|xz" firmware.bin
# Opcode scan to identify CPU architecture
binwalk -A firmware.bin
# Scan for raw strings to find version info, URLs, credentials
binwalk -R "password" firmware.bin
binwalk -R "http://" firmware.bin
Analyze entropy to identify encrypted, compressed, and plaintext regions:
# Generate entropy plot
binwalk -E firmware.bin
# Entropy with specific block size for higher resolution
binwalk -E -K 256 firmware.bin
# Combined entropy and signature scan
binwalk -BE firmware.bin
Interpreting entropy values:
Extract all identified components from the firmware image:
# Automatic extraction of known file types
binwalk -e firmware.bin
# Recursive extraction (matryoshka mode) for nested archives
binwalk -Me firmware.bin
# Recursive extraction with depth limit
binwalk -Me -d 5 firmware.bin
# Extract specific file type with custom handler
binwalk -D "squashfs filesystem:squashfs:unsquashfs %e" firmware.bin
# Manual extraction of data at a known offset
dd if=firmware.bin of=extracted.squashfs bs=1 skip=327680 count=4194304
Mount extracted filesystems for deep inspection:
# Mount SquashFS filesystem
mkdir /tmp/squashfs_root
unsquashfs -d /tmp/squashfs_root extracted.squashfs
# Mount CramFS filesystem
mkdir /tmp/cramfs_root
mount -t cramfs -o loop extracted.cramfs /tmp/cramfs_root
# Extract JFFS2 filesystem
jefferson extracted.jffs2 -d /tmp/jffs2_root
# Inspect the extracted filesystem
ls -la /tmp/squashfs_root/
find /tmp/squashfs_root -name "*.conf" -o -name "*.cfg" -o -name "*.key"
find /tmp/squashfs_root -name "passwd" -o -name "shadow"
Search extracted filesystem and raw firmware for sensitive data:
# Extract all printable strings
strings -a firmware.bin > all_strings.txt
strings -n 12 firmware.bin | sort -u > long_strings.txt
# Search for credentials and secrets
grep -rni "password\|passwd\|secret\|api_key\|token" /tmp/squashfs_root/etc/
grep -rni "BEGIN.*PRIVATE KEY" /tmp/squashfs_root/
# Find hardcoded URLs and endpoints
grep -rnoE "https?://[a-zA-Z0-9./?=_-]+" /tmp/squashfs_root/
# Search for certificate files
find /tmp/squashfs_root -name "*.pem" -o -name "*.crt" -o -name "*.key" -o -name "*.p12"
# Identify busybox and service versions
strings /tmp/squashfs_root/bin/busybox | grep "BusyBox v"
cat /tmp/squashfs_root/etc/banner 2>/dev/null
Compile comprehensive extraction and analysis findings:
Report should include:
- Firmware metadata (vendor, model, version, build date)
- Identified components with offsets and sizes (bootloader, kernel, filesystem, config)
- Entropy analysis summary with regions of interest
- Extracted filesystem structure and key contents
- Discovered credentials, keys, certificates
- Identified services, daemons, and their versions
- Known CVEs applicable to identified component versions
- Recommendations for hardening or vulnerability remediation
| Term | Definition |
|---|---|
| Firmware | Software embedded in hardware devices providing low-level control; typically contains a bootloader, kernel, root filesystem, and configuration data |
| Entropy Analysis | Statistical measurement of randomness in binary data; high entropy indicates encryption or compression, low entropy indicates plaintext or structured data |
| SquashFS | Read-only compressed filesystem commonly used in embedded Linux devices; supports LZMA, gzip, LZO, and zstd compression |
| Magic Bytes | Known byte sequences at fixed offsets that identify file types; binwalk uses a database of magic signatures to detect embedded files |
| Matryoshka Extraction | Recursive extraction mode where binwalk re-scans extracted files for additional embedded content, handling deeply nested archives |
| CramFS | Compressed ROM filesystem designed for embedded systems with limited flash storage; supports only zlib compression |
| JFFS2 | Journalling Flash File System version 2, designed for NOR and NAND flash memory in embedded devices |
Context: A security researcher is performing an authorized assessment of a consumer router. The firmware update file was downloaded from the vendor's support page. The goal is to identify hardcoded credentials, insecure default configurations, and known vulnerable components.
Approach:
binwalk -e firmware.bin to perform initial extractionbinwalk -E firmware.bin to check entropy and identify encrypted regionsunsquashfs and inspect /etc/passwd, /etc/shadow, and web server configsgrep -rni "password" /tmp/root/etc/Pitfalls:
FIRMWARE EXTRACTION REPORT
====================================
Firmware: TP-Link TL-WR841N v14
File: wr841nv14_en_3_16_9_up.bin
Size: 3,932,160 bytes (3.75 MB)
SHA-256: a1b2c3d4e5f6...
SIGNATURE SCAN RESULTS
Offset Type Size
------ ---- ----
0x00000000 U-Boot bootloader header 64 bytes
0x00020000 LZMA compressed data 1,048,576 bytes
0x00120000 SquashFS filesystem v4.0 2,752,512 bytes
0x003B0000 Configuration partition 131,072 bytes
ENTROPY ANALYSIS
Region 0x000000-0x020000: 4.21 (bootloader - plaintext code)
Region 0x020000-0x120000: 7.89 (kernel - LZMA compressed)
Region 0x120000-0x3B0000: 7.45 (filesystem - SquashFS compressed)
Region 0x3B0000-0x3C0000: 1.12 (config - mostly empty)
EXTRACTED FILESYSTEM
Root filesystem: SquashFS v4.0, LZMA compression
Total files: 847
Total dirs: 112
BusyBox version: 1.19.4
SECURITY FINDINGS
[CRITICAL] Hardcoded root password in /etc/shadow (hash: $1$...)
[HIGH] Telnet daemon enabled by default in /etc/init.d/rcS
[HIGH] Private RSA key at /etc/ssl/private/server.key
[MEDIUM] BusyBox 1.19.4 (CVE-2021-42373, CVE-2021-42374)
[MEDIUM] Dropbear SSH 2014.63 (CVE-2016-3116)
[LOW] UPnP service enabled by default
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
performing-firmware-extraction-with-binwalk fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
performing-firmware-extraction-with-binwalk reduced setup friction for our internal harness; good balance of opinion and flexibility.
performing-firmware-extraction-with-binwalk reduced setup friction for our internal harness; good balance of opinion and flexibility.
performing-firmware-extraction-with-binwalk has been reliable in day-to-day use. Documentation quality is above average for community skills.
We added performing-firmware-extraction-with-binwalk from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
We added performing-firmware-extraction-with-binwalk from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend performing-firmware-extraction-with-binwalk for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for performing-firmware-extraction-with-binwalk matched our evaluation — installs cleanly and behaves as described in the markdown.
Registry listing for performing-firmware-extraction-with-binwalk matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in performing-firmware-extraction-with-binwalk — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
showing 1-10 of 54