Tools for effortless reverse engineering of MikroTik routers

v3https://github.com/0ki/mikrotik-toolshttp ://kirils.org/

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 2 / 47

Legal disclaimer

Goal of this presentation is to allow the members of the research community to assess security and achieve the interoperability of computer programs

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 3 / 47

MikroTik? Anyone even uses it?

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 4 / 47

RouterOS is …

● Linux!– old Linux!

● Startup scripts● Nova binaries● Config

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 5 / 47

And it’s also closed source & closed ecosystem

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 6 / 47

A jailbreak is needed...

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 7 / 47

A built-in backdoor. How nice.

● RouterOS 2.9.8 delivered on 15 Nov 2005– a wild “/nova/etc/devel-login”

appears in /nova/bin/login

– [ -f /nova/etc/devel-login && username == devel && password == admin.password ] && /bin/ash

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 8 / 47

All we gotta do is ...

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 9 / 47

All we gotta do is ...

1) Create /nova/etc/devel-login

2) telnet to 192.168.88.1 as devel

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 10 / 47

[TAB] to the rescue

● No ls? No problem!– cat, space, tab, tab

● Or, you know, do it properly, and upload busybox– statically linked, for the right architecture

● uname -m

– this might be of interest:● https://busybox.net/downloads/binaries/1.21.1/

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 11 / 47

But how… ?

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 12 / 47

The old way

● A VirtualBox appliance!● DEMO

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 13 / 47

The old way

● A VirtualBox appliance!● Works only if

– If your CPU is AR9344 and device has at least two ethernet ports● RB951G-2HnD, RB951Ui-2HnD <== tested● CRS109-8G-1S-2HnD-IN, CRS125-24G-1S-IN, CRS125-24G-1S-2HnD-IN● RB2011L, RB2011LS, RB2011iLS-IN, RB2011iL-IN, RB2011UiAS-IN

RB2011UiAS-RM, RB2011UiAS-2HnD-IN● OmniTIK 5, OmniTIK 5 PoE

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 14 / 47

The new way

● A bash/python script● Works regardless of architecture● Very fast● Can do remote jailbreaks● Will not help you recover lost passwords● Will probably get patched soon after this presentation● DEMO

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 15 / 47

Now. The tools.

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 16 / 47

NPK file sourcing

● getnpk.sh– deps: wget

● reversenpk.sh– deps: unsquashfs, unnpk

– https://github.com/rsa9000/npk-tools

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 17 / 47

https://github.com/wsxarcher/routeros-linux-patch

Kernel patches

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 18 / 47

RouterOS boot process

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 19 / 47

Where do we put custom binaries?

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 20 / 47

Anywhere!

● “path” looks for specified path in prefixed directories– Used throughout their scripts

– Makes using custom scripts easier

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 21 / 47

High level overview of RouterOS

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 22 / 47

NPK format

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 23 / 47

NPK format

● Numeric values are unsigned little endian● File consists of header, file size, parts and footer.● File size is 8b less● Each part consist of:

– part type (short)

– payload size (long)

– payload

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 24 / 47

NPK format

● At least two types of current NPKs:– package

● 0..3 header 1E F1 D0 BA● footer 10 00 01 00 00 00 49

– footer since 3.22

– restriction (invisible package)● 0..3 header FB 0F 10 A1● footer 03 00 00 00 00 00

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 25 / 47

Part types

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 26 / 47

supout.rif

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 27 / 47

What is supout.rif?

● Support output– ridiculously intricate format

– or RouterOS information file, maybe, idk ¯\_(ツ )_/¯

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 28 / 47

supout.rif from outside

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 29 / 47

supout.rif section decoding

● swap bits around– per three bytes

● base64● section decodes to:

– name + ‘\0’ + zlib_compressed_content

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 30 / 47

supout.rif section decoding

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 31 / 47

supout.rif from inside

● What does it contain?– your whole

configuration

– /proc/ folder

– memory addresses

– your log

– and more

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 32 / 47

DEMO

Demo: mikrotik.com xss

Demo: decode_supout.py

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 33 / 47

Config files

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 34 / 47

Configuration

● Config is stored in /rw/store as pairs of files– IDX = index

– DAT = data

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 35 / 47

IDX format

● Record ID (long)– if ID is 0xFFFFFFFF, field has no content

– used for offsetting

● length (long)● separator (long)

– usually 0x05000000

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 36 / 47

DAT format

● LENGTH (short)● M2 RECORD of length

– Config ID (3 bytes)

– type (1 byte)● content depends on to type

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 37 / 47

Peculiarities / features

● Field IDs shared with web● Winbox protocol derived from DAT format

– Working directly with files?

– Dangerous!

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 38 / 47

mt_dat_decoder.py module

● DEMO

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 39 / 47

Where’s my password?

● Calm down! It’s encrypted!

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 40 / 47

The password is

● hashed● salted● md5

● Oh, wait, no. That’s the key.

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 41 / 47

The password

key = md5(username + "283i4jfkai3389")

password = user["password"] xor key

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 42 / 47

The password tool

● DEMO

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 43 / 47

Backup files

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 44 / 47

Backup file layout

● Header (long)– 0x88ACA1B1 – backup

– 0xEFA89172 – encrypted backup

● Length of backup file (long)● Records of:

– Path name, idx contents, dat contents

● Each record consists of length (long) and binary data

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 45 / 47

The bug

● mkdir -p pathname(“/flash/rw/store/”+filename)● write idx to “/flash/rw/store/”+filename+“.idx”● write dat to “/flash/rw/store/”+filename+“.dat”

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 46 / 47

decode_backup.py

● DEMO

Oct 21, 2017, Hacktivity, Budapest@KirilsSolovjovs 47 / 47

The end.

● Tools & jailbreak available

https://github.com/0ki/mikrotik-tools● Latest appliance:

http://02.lv/f/2017/09/15/MT_JB_0.89.ova