tools for effortless reverse engineering of mikrotik
play

Tools for effortless reverse engineering of MikroTik routers - PowerPoint PPT Presentation

Apr 08, 2023 •656 likes •1.14k views

Tools for effortless reverse engineering of MikroTik routers https://github.com/0ki/mikrotik-tools v3 http ://kirils.org/ Legal disclaimer Goal of this presentation is to allow the members of the research community to assess security and

  1. Tools for effortless reverse engineering of MikroTik routers https://github.com/0ki/mikrotik-tools v3 http ://kirils.org/

  2. Legal disclaimer Goal of this presentation is to allow the members of the research community to assess security and achieve the interoperability of computer programs @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 2 / 47

  3. MikroTik? Anyone even uses it? @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 3 / 47

  4. RouterOS is … ● Linux! – old Linux! ● Startup scripts ● Nova binaries ● Config @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 4 / 47

  5. And it’s also closed source & closed ecosystem @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 5 / 47

  6. A jailbreak is needed... @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 6 / 47

  7. A built-in backdoor. How nice. ● RouterOS 2.9.8 delivered on 15 Nov 2005 – a wild “/nova/etc/devel-login” appears in /nova/bin/login – [ -f /nova/etc/devel-login && username == devel && password == admin.password ] && /bin/ash @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 7 / 47

  8. All we gotta do is ... @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 8 / 47

  9. All we gotta do is ... 1) Create /nova/etc/devel-login 2) telnet to 192.168.88.1 as devel @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 9 / 47

  10. [TAB] to the rescue ● No ls? No problem! – cat, space, tab, tab ● Or, you know, do it properly, and upload busybox – statically linked, for the right architecture ● uname -m – this might be of interest: ● https://busybox.net/downloads/binaries/1.21.1/ @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 10 / 47

  11. But how… ? @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 11 / 47

  12. The old way ● A VirtualBox appliance! ● DEMO @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 12 / 47

  13. The old way ● A VirtualBox appliance! ● Works only if – If your CPU is AR9344 and device has at least two ethernet ports ● RB951G-2HnD, RB951Ui-2HnD <== tested ● CRS109-8G-1S-2HnD-IN, CRS125-24G-1S-IN, CRS125-24G-1S-2HnD-IN ● RB2011L, RB2011LS, RB2011iLS-IN, RB2011iL-IN, RB2011UiAS-IN RB2011UiAS-RM, RB2011UiAS-2HnD-IN ● OmniTIK 5, OmniTIK 5 PoE @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 13 / 47

  14. The new way ● A bash/python script ● Works regardless of architecture ● Very fast ● Can do remote jailbreaks ● Will not help you recover lost passwords ● Will probably get patched soon after this presentation ● DEMO @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 14 / 47

  15. Now. The tools. @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 15 / 47

  16. NPK file sourcing ● getnpk.sh – deps: wget ● reversenpk.sh – deps: unsquashfs, unnpk – https://github.com/rsa9000/npk-tools @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 16 / 47

  17. Kernel patches https://github.com/wsxarcher/routeros-linux-patch @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 17 / 47

  18. RouterOS boot process @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 18 / 47

  19. Where do we put custom binaries? @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 19 / 47

  20. Anywhere! ● “path” looks for specified path in prefixed directories – Used throughout their scripts – Makes using custom scripts easier @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 20 / 47

  21. High level overview of RouterOS @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 21 / 47

  22. NPK format @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 22 / 47

  23. NPK format ● Numeric values are unsigned little endian ● File consists of header, file size, parts and footer. ● File size is 8b less ● Each part consist of: – part type (short) – payload size (long) – payload @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 23 / 47

  24. NPK format ● At least two types of current NPKs: – package ● 0..3 header 1E F1 D0 BA ● footer 10 00 01 00 00 00 49 – footer since 3.22 – restriction (invisible package) ● 0..3 header FB 0F 10 A1 ● footer 03 00 00 00 00 00 @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 24 / 47

  25. Part types @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 25 / 47

  26. supout.rif @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 26 / 47

  27. What is supout.rif? ● Support output – ridiculously intricate format – or RouterOS information file, maybe, idk ¯\_( ツ )_/¯ @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 27 / 47

  28. supout.rif from outside @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 28 / 47

  29. supout.rif section decoding ● swap bits around – per three bytes ● base64 ● section decodes to: – name + ‘\0’ + zlib_compressed_content @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 29 / 47

  30. supout.rif section decoding @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 30 / 47

  31. supout.rif from inside ● What does it contain? – your whole configuration – /proc/ folder – memory addresses – your log – and more @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 31 / 47

  32. DEMO Demo: mikrotik.com xss Demo: decode_supout.py @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 32 / 47

  33. Config files @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 33 / 47

  34. Configuration ● Config is stored in /rw/store as pairs of files – IDX = index – DAT = data @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 34 / 47

  35. IDX format ● Record ID (long) – if ID is 0xFFFFFFFF, field has no content – used for offsetting ● length (long) ● separator (long) – usually 0x05000000 @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 35 / 47

  36. DAT format ● LENGTH (short) ● M2 RECORD of length – Config ID (3 bytes) – type (1 byte) ● content depends on to type @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 36 / 47

  37. Peculiarities / features ● Field IDs shared with web ● Winbox protocol derived from DAT format – Working directly with files? – Dangerous! @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 37 / 47

  38. mt_dat_decoder.py module ● DEMO @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 38 / 47

  39. Where’s my password? ● Calm down! It’s encrypted! @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 39 / 47

  40. The password is ● hashed ● salted ● md5 ● Oh, wait, no. That’s the key. @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 40 / 47

  41. The password key = md5(username + "283i4jfkai3389") password = user["password"] xor key @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 41 / 47

  42. The password tool ● DEMO @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 42 / 47

  43. Backup files @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 43 / 47

  44. Backup file layout ● Header (long) – 0x88ACA1B1 – backup – 0xEFA89172 – encrypted backup ● Length of backup file (long) ● Records of: – Path name, idx contents, dat contents ● Each record consists of length (long) and binary data @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 44 / 47

  45. The bug ● mkdir -p pathname(“/flash/rw/store/”+filename) ● write idx to “/flash/rw/store/”+filename+“.idx” ● write dat to “/flash/rw/store/”+filename+“.dat” @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 45 / 47

  46. decode_backup.py ● DEMO @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 46 / 47

  47. The end. ● Tools & jailbreak available https://github.com/0ki/mikrotik-tools ● Latest appliance: http://02.lv/f/2017/09/15/MT_JB_0.89.ova @KirilsSolovjovs Oct 21, 2017, Hacktivity, Budapest 47 / 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain

Rooting the MikroTik routers A journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no ls Who? Me? Who am I? https://twitter.com/KirilsSolovjovs

753 views • 43 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work

Reverse Engineering TCP/ IP Reverse Engineering TCP/ IP Steven Low EAS, Caltech Joint work with: Li J W Li, J. Wang, Pongsajapan, Tan, Tang, M. Wang P j T T M W Outline Background Layering as optimization decomposition L

932 views • 47 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering &amp; Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The

Reverse Engineering MAC: A Non-Cooperative Game Model Jianwei Huang Information Engineering The Chinese University of Hong Kong Joint work with J.-W. Lee, A. Tang, M. Chiang and A. R. Canderbank J. Huang (CUHK) Reverse Engineering MAC Nov.

605 views • 38 slides
Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at

Reverse Engineering Closed, heterogeneous platforms and the defenders dilemma Looking back at the last 20 years of RE and looking ahead at the next few SSTIC 2018 -- Thomas Dullien (Halvar Flake) Progress in Reverse Engineering 2010

941 views • 64 slides
Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin

Cryptanalysis, Reverse-Engineering and Design of Symmetric Cryptographic Algorithms Lo Perrin SnT, University of Luxembourg April 25, 2017 PhD Defence Introduction On S-Box Reverse-Engineering On Lightweight Cryptography Conclusion

1.76k views • 137 slides
Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives -

Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives -

Helping RE with LLVM lionel@lse.epita.fr 1) Reverse Engineering 2) Obfuscation objectives - confuse tools * hack binary loading * unaligned instructions - confuse human * junk code * proxy calls / vm * cipher 3) unaligned instructions //

789 views • 25 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Understanding human speech recognition: Reverse-engineering the engineering solution using

Understanding human speech recognition: Reverse-engineering the engineering solution using

Cai Wingfield CSLB, Department of Psychology Workshop on Neurocomputation: From Brains to Machines University of Cambridge 25 November 2015 Understanding human speech recognition: Reverse-engineering the engineering solution using EMEG

196 views • 18 slides
Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software

Reverse Engineering CAPTCHAs WCRE 2008 Reverse Engineering CAPTCHAs Abram Hindle, Micheal W. Godfrey, Richard C. Holt Software Architecture Group David R. Cheriton School of Computer Science University of Waterloo Canada

726 views • 57 slides
Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP

Reverse engineering AT32UC3As JTAG Pierre Surply Reverse engineering AT32UC3As JTAG Introduction Overview LSE Summer Week 2014 TAP Controller Scan Chain Pierre Surply Boundary Scan UC3 JTAG EPITA 2016 Reverse engineering Jul

968 views • 72 slides
Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap

Reverse Engineering Dr. Vadim Zaytsev aka @grammarware UvA, MSc SE, 9 November 2015 Roadmap W44 Introduction V.Zaytsev W45 Metaprogramming J.Vinju W46 Reverse Engineering V.Zaytsev W47 Software Analytics M.Bruntink W48 Clone

751 views • 31 slides
Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion

Reverse Engineering DSP Code Pierre Bourdon Introduction DSP Reverse Engineering DSP Code GameCube DSP Analyzing GCN DSP code Pierre Bourdon Conclusion delroth@lse.epita.fr http://lse.epita.fr February 12, 2013 Context Reverse

856 views • 18 slides
SENG 426 SENG 426 Tool Presentation Tool Presentation ~ Prepared by Sherif Saad ~ Spring 2009 ~

SENG 426 SENG 426 Tool Presentation Tool Presentation ~ Prepared by Sherif Saad ~ Spring 2009 ~

SENG 426 SENG 426 Tool Presentation Tool Presentation ~ Prepared by Sherif Saad ~ Spring 2009 ~ 1 Reverse Engineering Reverse Engineering Go to Tools and select Java/J2EE reverse engineering ~ Prepared by Sherif Saad ~ Spring

136 views • 13 slides
Quickstart: RouterOS jailbreaking and security research 19 &amp; 20 JUNE Hack in Paris Author

Quickstart: RouterOS jailbreaking and security research 19 &amp; 20 JUNE Hack in Paris Author

Quickstart: RouterOS jailbreaking and security research 19 &amp; 20 JUNE Hack in Paris Author Lead researcher at Possible Security, Latvia Author of RouterOS jailbreaks CCC, Hack in the Box, Nullcon, BalCCon, CONFidence,

1.38k views • 64 slides
Web Security: Injection CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Web Security: Injection CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Web Security: Injection CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff,

801 views • 63 slides
Compact Oblivious Routing Harald Rcke, Stefan Schmid Fakultt fr Informatik TU Mnchen

Compact Oblivious Routing Harald Rcke, Stefan Schmid Fakultt fr Informatik TU Mnchen

Compact Oblivious Routing Harald Rcke, Stefan Schmid Fakultt fr Informatik TU Mnchen 18. Jun. 2019 Harald Rcke 1/31 Routing in Networks Input: undirected network G = (V, E) 0 18. Jun. 2019 Harald Rcke 2/31 Routing in

713 views • 54 slides
Shell Emanuele Valea &lt;valea@lirmm.fr&gt; LIRMM CNRS / Universit de Montpellier Shell

Shell Emanuele Valea &lt;valea@lirmm.fr&gt; LIRMM CNRS / Universit de Montpellier Shell

Shell Emanuele Valea &lt;valea@lirmm.fr&gt; LIRMM CNRS / Universit de Montpellier Shell It is the external layer of the Operating System It provides a communication link between the O.S. and user Interactive execution Script

887 views • 49 slides
(from Chapter 25 of the text) Things well learn and do

(from Chapter 25 of the text) Things well learn and do

IT350 Web and Internet Programming Fall 2007 SlideSet #12: Perl (from Chapter 25 of the text) Things well learn and do XHTML basics, tables, forms, frames Cascading Style Sheets

348 views • 16 slides
Java 2 Micro Edition Persistent Storage Management F. Ricci 2010/2011 Content Record store

Java 2 Micro Edition Persistent Storage Management F. Ricci 2010/2011 Content Record store

Java 2 Micro Edition Persistent Storage Management F. Ricci 2010/2011 Content Record store Managing record stores Private and shared record stores Records Listening to record changes Query processing: RecordEnumeration ,

1.13k views • 56 slides
About Final Project Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu

About Final Project Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu

About Final Project Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu 1 Language definitions A static scoping language called P . PASCAL-like; lexical scoping; block structure; nested procedure with

406 views • 26 slides
Chapter 8 The Bourne Again Shell Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 8 The Bourne Again Shell Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State

Chapter 8 The Bourne Again Shell Dr. Marjan Trutschl marjan.trutschl@lsus.edu Louisiana State University, Shreveport, LA 71115 Chapter 8 The Bourne Again Shell Startup Files Processes Redirecting Standard Error History Writing

828 views • 39 slides

More recommend