A Journey Into Reverse Engineering Parts Of MikroTik .
Rooting the MikroTik routersA journey into reverse engineering partsof MikroTik system to gain access tohardware features and the shell behindthe RouterOS that has no “ls”
Who? Me? Who am I?– https://twitter.com/KirilsSolovjovsWhat do I do?–http://kirils.org/2 / 43
Legal disclaimerGoal of this research is to achieve the interoperability ofcomputer programs (i.e. software running on MikroTikrouters) with other computer programs.X3 / 43
ACK: Prior research “antony ” from awmn.net– “drubicza”– Initial NPK analysisNPK file unpackingOpenWRT team–kernel config files4 / 43
ACK: The team Kirils Solovjovs– Jānis Jansons– dynamic binary analysis, jailbreak scriptsstatic binary analysis, bootup sequenceEmīls Romanis–music5 / 43
Content outline RouterOS overview Reversing supout.rif NPK format Rooting the router6 / 43
RouterOS overview7 / 43
RouterOS ecosystem8 / 43
RouterOS history9 / 43
10 / 43
RouterOS history 1999– MikroTik v2.0 Router Software initial release works on 486 upgrades available as packages2000–MikroTik v2.1 Router Software according to marketing11 / 43
RouterOS history 2001–MikroTik v2.2 Router Software–MikroTik v2.3 Router Software npk first mentioned as method for extending functionalityJan 2002–MikroTik RouterOS V2.4–RouterOS is finally born!12 / 43
RouterOS history Aug 2002– Dec 2002– MikroTik RouterOS V2.5MikroTik RouterOS V2.6Dec 2003– MikroTik RouterOS V2.7 You’ve reached the mostboring slide. Apologies.And congrats – nextslides will be less boring.13 / 43
RouterOS history 12 Feb 2004– MikroTik RouterOS V2.8 software key system changed key algorithm has not been changed since1 Aug 2005–MikroTik RouterOS V2.9 new architecture introduced–mipsel for RB50014 / 43
RouterOS history 15 Nov 2005–2.9.8 a wild “/nova/etc/devel-login” appearsin /nova/bin/login[ -f /nova/etc/devel-login && username devel && password admin.password ] && /bin/sh20 Feb 2008–2.9.51 is as high as 2.9 branch goes15 / 43
RouterOS history 15 Jan 2008– 3.0mid-2008–around 3.10 anotony releases createnpk.py and dumpnpk.py on the forums ofAthens Wireless Metropolitan Networkallows to not only unpack npk, but also create your own16 / 43
RouterOS history 8 Feb 2009– 3.21 what’s up with this version? why has it vanished from the internet?16 Mar 2009–3.22 npk verification and signing added checksum and signature checked by /nova/bin/installer no more free lunches17 / 43
RouterOS history 12 Oct 2009– 4.031 Mar 2011–5.0 release cycle is getting slower 7 May 2013–6.0 (since beta3) SquashFS employed in npk files zerofill blocks added–so that actual SquashFS start is located at addresses divisible by 409618 / 43
RouterOS history 8 Jul 2015–6.30 sha1 digest block (ascii) added to npk files format suggests it’s not being used for verification,probably just for identification 6 Nov 2015–6.33 packages now include distribution channel–bugfix current development release-candidate19 / 43
hAP mini (RB931-2ND)20 / 43
21 / 43
RouterOS command treexviewer memoryrequirements (.png)/ip3.7 GiB/interface 3.5 GiB/routing 2.1 GiB/tool1.9 GiB/system 1.2 GiB/caps-man1.1 GiB/ipv60.9 GiB22 / 43
RouterOS command tree [15/62]23 / 43
Reversing supout.rif24 / 43
supout.rif from outside each section decodes to:–name ’\0’ zlib compressed content25 / 43
supout.rif from inside What does it contain?–your wholeconfiguration–/proc/ folder–memory addresses–your log–and more26 / 43
DEMODemo: decode supout.py27 / 43
mikrotik.com also has a reader .28 / 43
but it won’t show you everythingDemo: supout m.rifDemo: supout show.php29 / 43
NPK format30 / 43
NPK format Numeric values are unsigned little endian File consists of header, file size, parts and footer. File size is 8B less Each part consist of:–part type (short)–payload size (long)–payload31 / 43
NPK format At least two types of current NPKs:–package 0.3 header 1E F1 D0 BA footer 10 00 01 00 00 00 49––footer since 3.22restriction (invisible package) 0.3 header FB 0F 10 A1 footer 03 00 00 00 00 0032 / 43
Part types33 / 43
part 0x09 - signature Packages are signed (since 3.22)–broken packages will not be installed Part type 09 00 – signature Size – always 0x44 First 20 bytes–sha1sum of everything from the previous part 01 00 (including part type & size)up to 09 00 44 00 00 00 Remaining 48 bytes - unknown signature–Last byte always less than 0x10–Verified based on public key or seed C2 75 D7 23 57 66 AE C8 66 D4 C5 95 73 C8 E1 88 A513 39 93 6E 94 D2 CC F1 1F 9F F5 BA ED 71 3734 / 43
part 0x17 – digest Size – 0x28 (40 bytes) ascii representation of a SHA1 hash most likely used here as UUID35 / 43
Rooting the router36 / 43
Getting shell1) Create /nova/etc/devel-login2) telnet to 192.168.88.1 as devel–yaay! :)3) ls–fail :(37 / 43
[TAB] to the rescue No ls? No problem!– cat, space, tab, tabOr, you know, do it properly, and upload busybox–statically linked, for the right architecture –uname -mthis might be of interest: https://busybox.net/downloads/binaries/1.21.1/38 / 43
Can we speed this up? Of course. A VirtualBox appliance!– does all most of the work for youThis should work out nicely*–If your CPU is AR9344 and device has at least two ethernet ports RB951G-2HnD, RB951Ui-2HnD tested CRS109-8G-1S-2HnD-IN, CRS125-24G-1S-IN, CRS125-24G-1S-2HnD-IN RB2011L, RB2011LS, RB2011iLS-IN, RB2011iL-IN, RB2011UiAS-INRB2011UiAS-RM, RB2011UiAS-2HnD-INOmniTIK 5, OmniTIK 5 PoE39 / 43
How to use the applianceDemo: MT JB 0.81 fin.ova1) Import the appliance2) Make sure bridged network card is set to ethernet3) Disconnect all wires from the router, power it up4) Start the virtual machine and follow instructions5) Be ready to swiftly re-plug the cable when prompted40 / 43
Yes, yes, that’s nice, but . Can my RouterBOARD play Für Elise? Let’s see and listen!41 / 43
Für EliseDemo: elise.sh42 / 43
FIN Tools (will be) availablehttps://github.com/0ki/ Didn’t manage to ask yourquestion? Wanna hang out?–call 4488–tweet @KirilsSolovjovs–mail sha2017 at kirils org–meet SpeakerDesk43 / 43
RouterOS history 2001 – MikroTik v2.2 Router Software – MikroTik v2.3 Router Software npk first mentioned as method for extending functionality Jan 2002 – MikroTik
A Practical Guide to Reverse VAT 1. Contents 2. What is Reverse VAT? 3. Will Reverse VAT affect your business? 4. What is an End User? 5. Commercial End Users 6. Domestic End Users 7. When will Reverse VAT begin? 8. The Current VAT System 9. The New Reverse VAT System 10. Construction services subject to Reverse VAT 11. What else does Reverse VAT apply to? 12. Services NOT subject to .
Reverse Weave Reverse Weave Crew - Oxford Grey Sizes: S – 3XL 54.99 Reverse Weave Crew - Silver Grey Sizes: S – 3XL 59.95 Reverse Weave Crew - Silver Grey Sizes: XS – 3XL 54.99 Reverse Weave Reverse Out Crew Sizes: XS – 2XL 68.95 Reverse Weave Screen Print Hood - Silver Grey Sizes: XS – 3XL 64.99 Reverse Weave Hood - Silver Grey .
The following will guide a vendor through the process of responding to a Reverse Auction in Procure.AZ. Reverse auctions, to put it simply, are like eBay in reverse. With a Reverse Auction, vendors bid against each other downward for the win. All Reverse Auctions offered by the State in ProcureAZ will be managed online, including Reverse Auction
the journey p. 3 table of contents date title & passage & page the journey of becoming matthew 16:13-23 p. 6 a journey marked by faith genesis 12:1-20 p. 11 a journey marked by vision and courage numbers 13:1- 14:38 p. 16 a journey marked by sacrificial generosity 1 kings 17:8-16 p. 22 a journey marked by confidence psalm 62 p. 27 a journey marked by grace 1 corinthians 15:1 .
Customer Journey Analytics The Customer Journey Atlas In Six Steps Drive Customer Obsession With Journey Analytics The Forrester Wave : Journey Orchestration Platforms, Q4 2018 The Journey Analytics Road Map: From Start To Scale Now Tech: Journey Management, Q4 2018 The Seven Top Questions About Journey Analytics FOR CUSTOMER EXPERIENCE .
MODEL A CUSTOMER JOURNEY MAP The journey from end-to-end Design the customer journey map with the several journey steps as framework of activities Define touchpoints to the corresponding journey steps Specify the touchpoints by particular attributes and objects Mark journey steps that have to be improved by traffic light symbols
1.8 Journey Management Emergency Procedures 19 1.9 Retention of Journey Management Plans 19 1.10 Hand Over of Journey Management Responsibility 19 1.11 Journey Management Reporting 19 1.12 Journey Management Practices, Inspection and Audit 19 Attachment 1 NDSC Journey Plan 20 Attachment 2 Journey Management Emergency Procedures 21
Reversing: Secrets of Reverse Engineering Eldad Eilam WILEY Wiley Publishing, Inc. Contents Foreword Acknowledgments Introduction Parti Chapter 1 Reversing 101 Foundations What Is Reverse Engineering? Software Reverse Engineering: Reversing Reversing Applications Security-Related Reversing Mali
