A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in...
Transcript of A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in...
![Page 1: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/1.jpg)
A deeper journeyinto MikroTik routers
v2
Now with
53% unseen
content
![Page 2: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/2.jpg)
@KirilsSolovjovs@Janamaja 2 / 62
![Page 3: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/3.jpg)
![Page 4: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/4.jpg)
– Tanoy Bose
![Page 5: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/5.jpg)
@KirilsSolovjovs@Janamaja 5 / 62
Us
● Kirils – passionate about … things and stuff● Jānis – maker … who sometimes breaks things
![Page 6: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/6.jpg)
@KirilsSolovjovs@Janamaja 6 / 62
Legal disclaimer
Goal of this research is to achieve the interoperability of computer programs (i.e. software running on MikroTik routers) with other computer programs.
![Page 7: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/7.jpg)
@KirilsSolovjovs@Janamaja 7 / 62
ACK: Prior research
● “antony++” from awmn.net– Initial NPK analysis
● “drubicza”– NPK file unpacking
● Paul McCall– Initial supout.rif analysis
● OpenWRT team– kernel config files
![Page 8: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/8.jpg)
@KirilsSolovjovs@Janamaja 8 / 62
ACK: The team
● Kirils Solovjovs– dynamic binary analysis, jailbreak scripts, internal file format
analysis
● Jānis Jansons– static binary analysis, webfig analysis, bootup sequence, testing
● You?– Interested in MikroTik sw/hw
– Experience in Linux or reverse engineering
![Page 9: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/9.jpg)
@KirilsSolovjovs@Janamaja 9 / 62
Content outline
● RouterOS intro● RouterOS boot process and binaries● Package format● supout.rif● Config files● Lots of demos, of course!
![Page 10: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/10.jpg)
@KirilsSolovjovs@Janamaja 10 / 62
Who uses MikroTik?
![Page 11: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/11.jpg)
@KirilsSolovjovs@Janamaja 11 / 62
Do they update?
![Page 12: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/12.jpg)
@KirilsSolovjovs@Janamaja 12 / 62
RouterOS externals
![Page 13: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/13.jpg)
RouterOS is …● Linux (kernel) + startup scripts + novå binaries + config
![Page 14: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/14.jpg)
GPL to the rescue?
https://github.com/wsxarcher/routeros-linux-patch
![Page 15: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/15.jpg)
@KirilsSolovjovs@Janamaja 15 / 62
History: the beginnings
● 1999– MikroTik™ v2.0 Router Software
● initial release● works on 486● upgrades available as packages
● 2001– MikroTik™ v2.3 Router Software
● npk first mentioned as method for extending functionality
![Page 16: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/16.jpg)
@KirilsSolovjovs@Janamaja 16 / 62
History: not just x86
● 12 Feb 2004– MikroTik RouterOS™ V2.8
● software key system changed● has not been changed since!
● 1 Aug 2005– MikroTik RouterOS™ V2.9
● first new architecture introduced– mipsel for RB500
![Page 17: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/17.jpg)
@KirilsSolovjovs@Janamaja 17 / 62
History: “backdoor”
● 15 Nov 2005– 2.9.8
● a wild “/nova/etc/devel-login” appears in /nova/bin/login
● [ -f /nova/etc/devel-login && username == devel && password == admin.password ] && /bin/ash
● fun fact: previously username was “bash”
![Page 18: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/18.jpg)
@KirilsSolovjovs@Janamaja 18 / 62
History: the ghost & signing
● 8 Feb 2009– 3.21
● what’s up with this version?● why has it vanished from the internet?
● 16 Mar 2009– 3.22
● npk verification and signing added● checksum and signature checked by /nova/bin/installer● no more free lunches
![Page 19: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/19.jpg)
@KirilsSolovjovs@Janamaja 19 / 62
History: SquashFS in NPK
● 7 May 2013– 6.0 (since beta3)
● SquashFS employed in npk files● zerofill blocks added
– so that actual SquashFS start is located at addresses divisible by 4096
● 6 Nov 2015– 6.33
● packages now include distribution channel– bugfix | current | development | release-candidate
![Page 20: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/20.jpg)
@KirilsSolovjovs@Janamaja 20 / 62
¿Development branch?
![Page 21: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/21.jpg)
@KirilsSolovjovs@Janamaja 21 / 62
RouterOS ecosystem revisited
![Page 22: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/22.jpg)
@KirilsSolovjovs@Janamaja 22 / 62
DEMO: RouterOS console
![Page 23: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/23.jpg)
@KirilsSolovjovs@Janamaja 23 / 62
RouterOS command treexviewer memoryrequirements (.png)
/ip 3.7 GiB/interface 3.5 GiB/routing 2.1 GiB/tool 1.9 GiB/system 1.2 GiB/caps-man1.1 GiB/ipv6 0.9 GiB
![Page 24: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/24.jpg)
@KirilsSolovjovs@Janamaja 24 / 62
Example: /log command
![Page 25: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/25.jpg)
@KirilsSolovjovs@Janamaja 25 / 62
RouterOS internals
![Page 26: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/26.jpg)
@KirilsSolovjovs@Janamaja 26 / 62
RouterOS boot process
![Page 27: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/27.jpg)
@KirilsSolovjovs@Janamaja 27 / 62
A nice feature for jailbreakers...
![Page 28: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/28.jpg)
@KirilsSolovjovs@Janamaja 28 / 62
A nice feature for jailbreakers...
● “path” looks for specified path in prefixed directories– Used throughout their scripts
– Makes using custom scripts easier
![Page 29: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/29.jpg)
@KirilsSolovjovs@Janamaja 29 / 62
RouterOS boot process
![Page 30: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/30.jpg)
@KirilsSolovjovs@Janamaja 30 / 62
nova binaries
● loader– Spawns processes and manages communication between them
● watchdog– Restarts the device if a critical process stops working
● sys2– Manages device settings and parses received commands
● sermgr– Super-server daemon that provides internet services
![Page 31: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/31.jpg)
sermgr inetd≈
![Page 32: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/32.jpg)
@KirilsSolovjovs@Janamaja 32 / 62
nova binaries● net
– Deals with network configuration, tunnels, AT commands
● moduler– Manages loading of firmware for external devices
● e.g. usb2serial adpters, 3G modems
● modprobed– Symlink to moduler, used for loading kernel modules
● manager– User and group management
![Page 33: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/33.jpg)
@KirilsSolovjovs@Janamaja 33 / 62
nova binaries● log
– Log daemon
● mproxy– Winbox daemon
● quickset– Separate daemon for management of quickset settings
● undo– Safe mode support
● www– Web interface daemon
![Page 34: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/34.jpg)
@KirilsSolovjovs@Janamaja 34 / 62
Package format
![Page 35: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/35.jpg)
@KirilsSolovjovs@Janamaja 35 / 62
NPK format
● Numeric values are unsigned little endian● File consists of header, file size, parts and footer.● File size is 8b less● Each part consist of:
– part type (short)
– payload size (long)
– payload
![Page 36: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/36.jpg)
@KirilsSolovjovs@Janamaja 36 / 62
NPK format
● At least two types of current NPKs:– package
● 0..3 header 1E F1 D0 BA● footer 10 00 01 00 00 00 49
– footer since 3.22
– restriction (invisible package)● 0..3 header FB 0F 10 A1● footer 03 00 00 00 00 00
![Page 37: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/37.jpg)
@KirilsSolovjovs@Janamaja 37 / 62
Part types
![Page 38: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/38.jpg)
@KirilsSolovjovs@Janamaja 38 / 62
supout.rif
![Page 39: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/39.jpg)
@KirilsSolovjovs@Janamaja 39 / 62
What is supout.rif?
● Support output– ridiculously intricate format
– or RouterOS information file, maybe, idk ̄ \_(ツ )_/¯
![Page 40: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/40.jpg)
@KirilsSolovjovs@Janamaja 40 / 62
supout.rif from outside
![Page 41: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/41.jpg)
@KirilsSolovjovs@Janamaja 41 / 62
supout.rif section decoding
● swap bits around– per three bytes
● base64● section decodes to:
– name + ‘\0’ + zlib_compressed_content
![Page 42: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/42.jpg)
@KirilsSolovjovs@Janamaja 42 / 62
supout.rif section decoding
![Page 43: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/43.jpg)
@KirilsSolovjovs@Janamaja 43 / 62
supout.rif from inside
● What does it contain?– your whole
configuration
– /proc/ folder
– memory addresses
– your log
– and more
![Page 44: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/44.jpg)
@KirilsSolovjovs@Janamaja 44 / 62
mikrotik.com has a reader ...
![Page 45: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/45.jpg)
@KirilsSolovjovs@Janamaja 45 / 62
… but it won’t show you everything
![Page 46: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/46.jpg)
@KirilsSolovjovs@Janamaja 46 / 62
DEMO
Demo: mikrotik.com xss
Demo: decode_supout.py
![Page 47: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/47.jpg)
@KirilsSolovjovs@Janamaja 47 / 62
Config file format
![Page 48: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/48.jpg)
@KirilsSolovjovs@Janamaja 48 / 62
Configuration
● Config is stored in /rw/store as pairs of files– IDX = index
– DAT = data
![Page 49: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/49.jpg)
@KirilsSolovjovs@Janamaja 49 / 62
IDX format
● Record ID (long)– if ID is 0xFFFFFFFF, field has no content
– used for offsetting
● length (long)● separator (long)
– usually 0x05000000
![Page 50: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/50.jpg)
@KirilsSolovjovs@Janamaja 50 / 62
DAT format
● LENGTH (short)● M2 RECORD of length
– Config ID (3 bytes)
– type (1 byte)● content depends on to type
![Page 51: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/51.jpg)
@KirilsSolovjovs@Janamaja 51 / 62
Peculiarities / features
● Field IDs shared with web● Winbox protocol derived from DAT format
– Working directly with files?
– Dangerous!
![Page 52: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/52.jpg)
@KirilsSolovjovs@Janamaja 52 / 62
Where to get field IDs?
![Page 53: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/53.jpg)
@KirilsSolovjovs@Janamaja 53 / 62
user.dat has your password?
● Yep!
![Page 54: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/54.jpg)
@KirilsSolovjovs@Janamaja 54 / 62
283i4jfkai3389
key = md5(username + "283i4jfkai3389")password = password xor key
![Page 55: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/55.jpg)
@KirilsSolovjovs@Janamaja 55 / 62
Rooting the router
![Page 56: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/56.jpg)
@KirilsSolovjovs@Janamaja 56 / 62
Getting shell
1) Create /nova/etc/devel-login
2) telnet to 192.168.88.1 as devel– yaay! :)
3) ls– fail :(
![Page 57: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/57.jpg)
@KirilsSolovjovs@Janamaja 57 / 62
[TAB] to the rescue
● No ls? No problem!– cat, space, tab, tab
● Or, you know, do it properly, and upload busybox– statically linked, for the right architecture
● uname -m
– this might be of interest:● https://busybox.net/downloads/binaries/1.21.1/
![Page 58: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/58.jpg)
@KirilsSolovjovs@Janamaja 58 / 62
Can we speed this up?● Of course.● A VirtualBox appliance!
– does the work for you
● This should work out nicely*– If your CPU is AR9344 and device has at least two ethernet ports
● RB951G-2HnD, RB951Ui-2HnD <== tested● CRS109-8G-1S-2HnD-IN, CRS125-24G-1S-IN, CRS125-24G-1S-2HnD-IN● RB2011L, RB2011LS, RB2011iLS-IN, RB2011iL-IN, RB2011UiAS-IN RB2011UiAS-RM, RB2011UiAS-
2HnD-IN● OmniTIK 5, OmniTIK 5 PoE
![Page 59: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/59.jpg)
@KirilsSolovjovs@Janamaja 59 / 62
How to use the appliance
Demo: MT_JB_0.89.ova
1) Import the appliance
2) Make sure bridged network card is set to ethernet
3) Disconnect all wires from the router, power it up
4) Start the virtual machine and follow instructions
5) Be ready to swiftly re-plug the cable when prompted
![Page 60: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/60.jpg)
@KirilsSolovjovs@Janamaja 60 / 62
So, what’s new?
● What if I’ve forgotten my password?
Not a problem! ;)
![Page 61: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/61.jpg)
@KirilsSolovjovs@Janamaja 61 / 62
DEMO
![Page 62: A deeper journey into MikroTik routers€¦ · – Interested in MikroTik sw/hw – Experience in Linux or reverse engineering @KirilsSolovjovs @Janamaja 9 / 62 Content outline RouterOS](https://reader030.fdocuments.in/reader030/viewer/2022040204/5ead35c41942d3784565d6a6/html5/thumbnails/62.jpg)
@KirilsSolovjovs@Janamaja 62 / 62
Question time
● Tools are available
https://github.com/0ki/● Current appliance:
http://02.lv/f/2017/09/15/MT_JB_0.89.ova– good luck guessing
which letters are capital ;p