SLIDE 1
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 2 / 47
Tools for effortless reverse engineering of MikroTik routers - - PowerPoint PPT Presentation
Tools for effortless reverse engineering of MikroTik routers - - PowerPoint PPT Presentation
Tools for effortless reverse engineering of MikroTik routers https://github.com/0ki/mikrotik-tools v3 http ://kirils.org/ Legal disclaimer Goal of this presentation is to allow the members of the research community to assess security and
SLIDE 2
SLIDE 3
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 3 / 47
MikroTik? Anyone even uses it?
SLIDE 4
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 4 / 47
RouterOS is …
- Linux!
– old Linux!
- Startup scripts
- Nova binaries
- Config
SLIDE 5
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 5 / 47
And it’s also closed source & closed ecosystem
SLIDE 6
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 6 / 47
A jailbreak is needed...
SLIDE 7
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 7 / 47
A built-in backdoor. How nice.
- RouterOS 2.9.8 delivered on
15 Nov 2005
– a wild “/nova/etc/devel-login”
appears in /nova/bin/login
– [ -f /nova/etc/devel-login &&
username == devel && password == admin.password ] && /bin/ash
SLIDE 8
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 8 / 47
All we gotta do is ...
SLIDE 9
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 9 / 47
All we gotta do is ...
1) Create /nova/etc/devel-login 2) telnet to 192.168.88.1 as devel
SLIDE 10
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 10 / 47
[TAB] to the rescue
- No ls? No problem!
– cat, space, tab, tab
- Or, you know, do it properly, and upload busybox
– statically linked, for the right architecture
- uname -m
– this might be of interest:
- https://busybox.net/downloads/binaries/1.21.1/
SLIDE 11
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 11 / 47
But how… ?
SLIDE 12
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 12 / 47
The old way
- A VirtualBox appliance!
- DEMO
SLIDE 13
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 13 / 47
The old way
- A VirtualBox appliance!
- Works only if
– If your CPU is AR9344 and device has at least two ethernet ports
- RB951G-2HnD, RB951Ui-2HnD <== tested
- CRS109-8G-1S-2HnD-IN, CRS125-24G-1S-IN, CRS125-24G-1S-2HnD-IN
- RB2011L, RB2011LS, RB2011iLS-IN, RB2011iL-IN, RB2011UiAS-IN
RB2011UiAS-RM, RB2011UiAS-2HnD-IN
- OmniTIK 5, OmniTIK 5 PoE
SLIDE 14
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 14 / 47
The new way
- A bash/python script
- Works regardless of architecture
- Very fast
- Can do remote jailbreaks
- Will not help you recover lost passwords
- Will probably get patched soon after this presentation
- DEMO
SLIDE 15
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 15 / 47
- Now. The tools.
SLIDE 16
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 16 / 47
NPK file sourcing
- getnpk.sh
– deps: wget
- reversenpk.sh
– deps: unsquashfs, unnpk
– https://github.com/rsa9000/npk-tools
SLIDE 17
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 17 / 47
https://github.com/wsxarcher/routeros-linux-patch
Kernel patches
SLIDE 18
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 18 / 47
RouterOS boot process
SLIDE 19
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 19 / 47
Where do we put custom binaries?
SLIDE 20
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 20 / 47
Anywhere!
- “path” looks for specified path in prefixed directories
– Used throughout their scripts – Makes using custom scripts easier
SLIDE 21
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 21 / 47
High level overview of RouterOS
SLIDE 22
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 22 / 47
NPK format
SLIDE 23
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 23 / 47
NPK format
- Numeric values are unsigned little endian
- File consists of header, file size, parts and footer.
- File size is 8b less
- Each part consist of:
– part type (short) – payload size (long) – payload
SLIDE 24
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 24 / 47
NPK format
- At least two types of current NPKs:
– package
- 0..3 header 1E F1 D0 BA
- footer 10 00 01 00 00 00 49
– footer since 3.22
– restriction (invisible package)
- 0..3 header FB 0F 10 A1
- footer 03 00 00 00 00 00
SLIDE 25
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 25 / 47
Part types
SLIDE 26
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 26 / 47
supout.rif
SLIDE 27
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 27 / 47
What is supout.rif?
- Support output
– ridiculously intricate format – or RouterOS information file, maybe, idk ¯\_( ツ )_/¯
SLIDE 28
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 28 / 47
supout.rif from outside
SLIDE 29
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 29 / 47
supout.rif section decoding
- swap bits around
– per three bytes
- base64
- section decodes to:
– name + ‘\0’ +
zlib_compressed_content
SLIDE 30
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 30 / 47
supout.rif section decoding
SLIDE 31
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 31 / 47
supout.rif from inside
- What does it contain?
– your whole
configuration
– /proc/ folder – memory addresses – your log – and more
SLIDE 32
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 32 / 47
DEMO
Demo: mikrotik.com xss Demo: decode_supout.py
SLIDE 33
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 33 / 47
Config files
SLIDE 34
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 34 / 47
Configuration
- Config is stored in /rw/store as pairs of files
– IDX = index – DAT = data
SLIDE 35
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 35 / 47
IDX format
- Record ID (long)
– if ID is 0xFFFFFFFF, field has no content – used for offsetting
- length (long)
- separator (long)
– usually 0x05000000
SLIDE 36
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 36 / 47
DAT format
- LENGTH (short)
- M2 RECORD of length
– Config ID (3 bytes) – type (1 byte)
- content depends on to type
SLIDE 37
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 37 / 47
Peculiarities / features
- Field IDs shared with web
- Winbox protocol derived from DAT format
– Working directly with files? – Dangerous!
SLIDE 38
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 38 / 47
mt_dat_decoder.py module
- DEMO
SLIDE 39
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 39 / 47
Where’s my password?
- Calm down! It’s encrypted!
SLIDE 40
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 40 / 47
The password is
- hashed
- salted
- md5
- Oh, wait, no. That’s the key.
SLIDE 41
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 41 / 47
The password
key = md5(username + "283i4jfkai3389") password = user["password"] xor key
SLIDE 42
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 42 / 47
The password tool
- DEMO
SLIDE 43
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 43 / 47
Backup files
SLIDE 44
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 44 / 47
Backup file layout
- Header (long)
– 0x88ACA1B1 – backup – 0xEFA89172 – encrypted backup
- Length of backup file (long)
- Records of:
– Path name, idx contents, dat contents
- Each record consists of length (long) and binary data
SLIDE 45
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 45 / 47
The bug
- mkdir -p pathname(“/flash/rw/store/”+filename)
- write idx to “/flash/rw/store/”+filename+“.idx”
- write dat to “/flash/rw/store/”+filename+“.dat”
SLIDE 46
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 46 / 47
decode_backup.py
- DEMO
SLIDE 47
Oct 21, 2017, Hacktivity, Budapest @KirilsSolovjovs 47 / 47
The end.
- Tools & jailbreak available
https://github.com/0ki/mikrotik-tools
- Latest appliance: